Refreshing an Access Token

Current information about Live Connect is now available in the Windows Live Developer Center. The information in the following sections is provided for legacy purposes only.

You can use a refresh token to acquire a new access token so that you can continue to access a protected resource on behalf of a user. You can request new access tokens until the refresh token expires. A refresh token's expiration is determined by the length of time that a user provides consent to your application.

A refresh token request must be in the form of an HTTP POST message. The following example illustrates how to send this message to the refresh token endpoint.

private string GetNewAccessToken()
    NameValueCollection appSettings = WebConfigurationManager.AppSettings;

    string requestUrl = "";

    string refreshToken = "" //Refresh token goes here.

    // Request the access token.
    string postData = string.Format("{0}?wrap_refresh_token={1}",
    byte[] postDataEncoded = System.Text.Encoding.UTF8.GetBytes(postData);

    WebRequest req = HttpWebRequest.Create(requestUrl);
    req.Method = "POST";
    req.ContentType = "application/x-www-form-urlencoded";
    req.ContentLength = postDataEncoded.Length;

    Stream requestStream = req.GetRequestStream();
    requestStream.Write(postDataEncoded, 0, postDataEncoded.Length);

    WebResponse res = req.GetResponse();

    string responseBody = null;

    using (StreamReader sr = new StreamReader(res.GetResponseStream(), Encoding.UTF8))
        responseBody = sr.ReadToEnd();

    // Process FORM POST.
    NameValueCollection responseCollection = System.Web.HttpUtility.ParseQueryString(responseBody);

    return responseCollection["wrap_access_token"];

The elements of an access token request are described in the following table.

Access Token Request Element Description

URL endpoint

Provides the Windows Live endpoint that processes the request. In most cases, this endpoint is

You must access this URL by using SSL.


Contains the refresh token that is used to generate a new access token. You receive this token when you first request an access token. See Acquiring an Access Token for more information.

An example refresh token is 8on+MAtOTb60tvl/DU7YbHLQC9GuAI0ladnkCF8tUCK4mH7m0tMXuONjZmlZuw/GOYTavqnefussehnmwdN8RtgxkZ5JeEpP3IZRTRUfiBkzKJHJpt2+sKyUw/Uk9vh5H4nk06RKsyIo8GOrWpMlpTpICflx3fRjCl0BW/wKLH4=

If your application uses a refresh token that was created with the Windows Live ID Delegated Authentication for Application Providers SDK, you must use the wrap_client_id and wrap_client_secret parameters to supply a client ID and secret.

As described in Acquiring an Access Token, an access token has a limited time-to-live value, ranging from 8 hours to 16 hours. To continue accessing a protected resource on behalf of a user, your application can request a new access token by using a refresh token.

A refresh token is sent to your application when you successfully request an access token from a user by using the endpoint. This token remains effective for generating new access tokens until the consent period that the user specified for your application expires.

A success response from the Windows Live service contains the following information:

  • wrap_access_token. This parameter contains the access token that your application can then use to acquire user information from a protected resource.
  • wrap_access_token_expires_in. This parameter indicates when the access token expires. The value in this parameter is an integer, which you can convert to the date format of your choice.
    There are two standard time-to-live values for an access token. If the user selects the option for the Windows Live service to remember the application's connection, the default value is 16 hours. If the user does not select this option, the default value is 8 hours. Keep in mind that different protected resources can have different time-to-live values for access tokens, which may be less than the default values.

In general, we recommend that you store the refresh token in a reliable location, such as a database. Should a refresh token become unavailable or expire, you must request a new verification code, which requires the user to supply their credentials and provide consent for your application. See Acquiring a Verification Code for more information.

If a user revokes consent before the refresh token expires, the Windows Live service automatically invalidates the token so that it cannot be used. If your application currently has a valid access token, that token remains valid until it expires, even if the user revokes consent.