Client credentials rotation with expiring offline tokens

Hi,

I’m trying to understand whether the Client Credential Rotation flow supports apps using expiring offline access tokens.

According to the documentation, the rotation flow requires providing:

• a temporary refresh token generated from the Partner Dashboard
• the current access token
• the new client secret

However, our app uses expiring offline tokens, meaning each shop has:

• an expiring access token
• a rotating refresh token

My confusion is around the access_token parameter in the credential rotation request:

1. Can the Client Credential Rotation endpoint return the expiring offline token ?
2. Can the access_token provided to the Client Credential Rotation endpoint be an expiring offline access token?
3. Is this flow intended to work for both legacy non-expiring tokens and expiring offline tokens?
4. If an expiring offline token is used, what happens to the corresponding shop refresh token?
   • Does it remain valid?
   • Is a new refresh token returned?
   • Is the flow unsupported for expiring tokens?

The documentation shows the response returning an access token only, so it’s unclear how this interacts with the expiring access token + refresh token lifecycle.

Any clarification would be appreciated.

The Client Credential grant works differently than the Authorization Code and Token Exchange grant types. When you use Client Credentials grant you will not receive a refresh token. This is because you don’t need a refresh token to acquire new access tokens when using Client Credentials grant, you simply use your app’s client credentials. The OAuth 2 spec prohibits providing a refresh token in the response during a Client Credentials grant.