Revoked or Expired Authentication Tokens

Handling a common developer pitfall

Access tokens are issued by the Evernote API at the end of the OAuth authentication flow. For most Evernote integrations, these tokens will expire after one year. The authorizing user also has the option to choose a shorter duration (one day, one week or one month) and revoke access tokens associated with a given integration. In any case, it’s important to build integrations that can react elegantly to access tokens that have been revoked or expired.

Identifying and Handling Revoked or Expired Access Tokens

When a request is made to the Evernote API using an expired or revoked auth token, an exception of type EDAMUserException is raised containing the error code AUTH_EXPIRED. Integrations should handle this condition and, if it occurs, prompt the user to authenticate again:

[App] is no longer authorized to access your Evernote account. (Click/Tap) below to re-authorize [app]"

Other steps you may want to take to ensure your application handles this situation smoothly might be to cache user data that was sent to Evernote when the error occurred so it can be sent again once a valid authentication token has been received or giving the user the option to continue using the application without forcing them to immediately re-authenticate with Evernote.

Evernote Business Note: Please note that business Authorization tokens retrieved using UserStore.authenticateToBusiness are only valid for one hour and can be regenerated without user input.

Access Token Expiration

Each access token has an expiration date. By default the duration of access token validity is 1 year from the date of issue. The user can alter this duration to 1 day, 1 week or 1 month. In all these cases (including a 1 year token) the expiration date will be included as the parameter edam_expires. The value of this parameter will be a standard UNIX timestamp in units of milliseconds indicating the date and time of expiration.

Access Token Revocation

Users can revoke access to your application at any time through their Account Settings > Security > Applications page located here:


Any valid access token issued through your API key will be present in the user's Account Settings page. In order to keep your application from generating multiple valid access tokens you must revoke your own token before requesting a new access token.

The above is an example of a poorly authorizing application. Please revoke your existing, valid access tokens before requesting another access token.

How to Revoke an Access Token

To revoke an access token (due to user or application action) use the revokeLongSession method documented here. This method takes one parameter (your access token that corresponds to the user that wishes to revoke your application access to their Evernote account) and will invalidate that same access token. Use of the access token after revocation will result in an error. If that same user wishes to regrant access of their Evernote account to your application you must send them through the OAuth flow again.

Stay on top of what's happening in the Evernote developer community.