We’re updating how public apps handle offline access tokens to better protect merchant data. New public apps created on or after April 1, 2026 must request and use expiring offline access tokens.
This change affects only new public apps. Custom apps, merchant apps, and all apps created before April 1, 2026 are not affected.
Learn how expiring tokens differ from non‑expiring tokens.
Why this change
Expiring tokens enhance security. If a token is ever leaked, its limited lifespan significantly narrows the risk to both your app and the merchants who trust it. This change aligns with modern OAuth practices, and as a developer it lets you build your app around predictable refresh flows.
Learn more:
Learn more on how to acquire expiring offline tokens, including refresh handling and rotation in the dev docs.