Question
The ADR (Accredited Data Recipient) receives one Access Token and Refresh Token when a consent is successfully granted.
When the consent expires, should the Refresh Token and the Access Token expire immediately?
Answer
The Consumer Data Standards do not specifically require an access token to become invalid when a consent expires. This is because it is valid to request a consent with a zero second duration, specifically for once off collection. As a balance we require access tokens to have a short life span.
The expectation is that, once consent has expired, no new access tokens are created. However existing access tokens should be honoured.
Comments
0 comments
Please sign in to leave a comment.