We’re updating how public apps handle offline access tokens to better protect merchant data. New public apps created on or after April 1, 2026 must request and use expiring offline access tokens.
This change affects only new public apps. Custom apps, merchant apps, and all apps created before April 1, 2026 are not affected.
Expiring tokens enhance security. If a token is ever leaked, its limited lifespan significantly narrows the risk to both your app and the merchants who trust it. This change aligns with modern OAuth practices, and as a developer it lets you build your app around predictable refresh flows.
Learn more:
Learn more on how to acquire expiring offline tokens, including refresh handling and rotation in the dev docs.
Will this affect apps that haven’t yet applied for review but meant for public distribution? And apps that are waiting for review and not in the app store yet?
Or by “public apps” you mean “Any app with Public distribution, under development, in review, or published in the app store” ?
The date that matters is when the app was created. If an app is created today (March 23) and submitted for app store review in a month’s time (April 23) it won’t be subject to this requirement. If the app is created in a ~week on April 1 then it will be subject to enforcement once it’s marked as a public app.