Would that be needed? Generally with OAuth2 a 401 would indicate there is some issue with the token and to either refresh a refresh token (if one was issued) or to request the user re-authorise the application.

Unless we're recommending the use of a refresh token, I'm not sure if we'd need clients to keep an eye on the expires_in from the initial issue, or calls to introspect on the token endpoint

Also on:

This post was filed under replies.

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.