Quoting the documentation "The default expiry of access tokens is 24 hours. You can refresh an access token without prompting the user for permission again even if a user is not present. The refresh token, by default, expires in 2 weeks."
What if I want to continue using the integration without human intervention after 2 weeks? Is the end user obliged to reauthenticate every 2 weeks? That would be kind of not the best user experience in my opinion.
Sorry, this question was just brought to my attention. For faster service on questions about the API, please do not rely on the community forum--instead, email us at email@example.com. I rarely visit the forums because they are usually not API-related.
To your question, the reason we limit the expiration is because Stock access tokens can be used to purchase goods and are typically tied directly to your account or credit card. If your application credentials or any of your tokens were leaked, your customers could be the victims of fraud and you as the developer would be partly responsibile. So I doubt you want to take that risk, or your users unless this was an internal application.
Instead, what we can permit is for you to request a new refresh token each two weeks, rather than the same one. Currently, you receive the same refresh token with a hard-coded expiration of two weeks from the first time you request it. We can change this so that we return a new refresh token with a new expiration, so that you could keep the user perpetually signed in as long as they actively use the application. If they stop using it, then they would get signed out.
If you want to look into this possibility, please email us at firstname.lastname@example.org and tell us your business use case. Again, keep in mind this adds additional risk to you and your users. We typically only allow this for internal applications where the developer and users are part of the same company or project, or an application that does not allow licensing of assets.