Smartcar uses OAuth 2.0 access tokens to secure API requests. Managing these tokens correctly is critical for ensuring your application can reliably interact with vehicles.
  • Access Tokens: Short-lived tokens (2 hours) used to authorize requests to the Smartcar API.
  • Refresh Tokens: Long-lived tokens (60 days) used to obtain new access tokens without requiring the user to re-authenticate.

Token Management

When you use a refresh token, you receive a new refresh token in the response. You must save this new refresh token for future use, as the old one is invalidated.

Storing access tokens

Default and Brand Select Connect Flow

By default tokens are scoped to the user’s connected services account.
This means that if there are multiple vehicles on the account - and they are selected at the time of authorization, the access token is valid for all those vehicle Ids.
To manage this, we recommend using the Smartcar User Id to link tokens to your corresponding user id. The diagram below will also allow multiple users to connect to vehicles on the same account.

Single Select Connect Flow

When using the Single Select flow, tokens are strictly scoped to the vehicle that was authorized for that Connect session. This means that if a user connects multiple vehicles under the same connected services account, each vehicle id will be tied to its own set of tokens.

Token expiry

Access tokens are valid for 2 hours, while refresh tokens are valid for 60 days. You can use the corresponding refresh token to fetch a new token pair once an access token has expired. In order to maintain access to a vehicle without having a user go through Connect again, you’ll want to make sure the refresh token never expires. Whenever you fetch a new token pair, we will return a new access and refresh token. Prior to expiry, access tokens will remain valid until their expiry when fetching a new token pair. Refresh tokens on the other hand are invalidated 1 minute after they’re used. To avoid common 401 Authentication errors, please ensure you are persisting both the access and refresh token we return whenever you fetch a new pair.
In addition to any logic that checks access token expiry when making an API request, we strongly recommend having another job that periodically checks for refresh tokens that are close to expiry and refreshes them.