Instagram is invalidating access tokens. I thought they didn't?

Question

As far as I thought, Instagram does not invalidate access tokens based on their documents. But for a few users of the thousands using one of my applications built on their API, that does not seem to be the case.

I originally referred to the following SO question when initially building the application, and a few others - but I came to the conclusion (or so I thought) that Instagram does not invalidate tokens, which does not seem to be true: Instagram access token expire

Our application makes requests on behalf of a user at specific times of the day. It is an application that users may only need to ever log into once to utilize the service.

Here, for example is a user who signed up 4 days ago - his service was working great until this morning, when testing his access token we were receiving this response:

{"meta":  {
    "error_type": "OAuthAccessTokenException",
    "code": 400,
    "error_message": "The access_token provided is invalid."
    }}

Why would this be happening on an access token that was valid 4 days ago? We asked the specific user this error is being returned for if he revoked access to our application or anything along those lines, and he did not.

I'm curious if perhaps he changed his IG password which invalidated his access tokens for applications (Although that doesn't seem likely as to what would cause this?)

Does anyone else have experience with Instagram applications randomly invalidating access tokens?

Also, note that 99% of users who have been using our application for a month or more have never had this issue. We've only encountered 3 to 5 other accounts this has happened with.

score 0 · Answer 1 · answered Feb 09 '15 at 08:58

0

It's not really random. In fact an access token can be invalided in this 2 cases:

the user changed his password or where forced to do so (when IG thinks your account has been compromised).
they deleted the app the access token is linked to. (Or IG forces the app to be deleted if they suspect spam behavior)

But they do not expire from time.

answered Feb 09 '15 at 08:58

Jérôme Mahuet

874
8
13

Thank you for the clarification! The first case I was not aware of. – Braydon Batungbacal Feb 09 '15 at 11:42
How would one revalidate the user without logging into their account though? – Jches Aug 03 '15 at 15:43

score 0 · Answer 2 · answered Dec 07 '16 at 03:02

From own experience the token can expire if:

the user removes the app
the Instagram account gets temporary locked which can happen if the Instagram user logs in from an unknown device/location (e.g. another country). The user is being asked to confirm identity by inserting an SMS code. The second scenario is probably an Instagram bug. Why would the app token expire each time the account gets temporary locked? Would like to get an answer from Instagram as well.

NOTE: The token does not expire if user changes password.

Instagram is invalidating access tokens. I thought they didn't?

2 Answers2