Improve documentation around the mandatory 90 day app re-authentication

Every 90 days the user is required to re-authenticate an app, as mentioned here - which presents 3 problems:

  1. The user gets no notification that they need to re-authenticate, nor that it’s something they ever need to do.
  2. The API responses suddenly start returning 403’s (forbidden.insufficient_permissions) with no indication why this previously valid authentication token is now lacking permissions.
  3. The API docs make no reference to any of this being a thing that can happen.

I made an app that automatically sorts my salary (before the salary sorter existed in the app, and mine is more feature-rich so I still use it). This means that it only attempts to use the API once a month, so every other month I’d seemingly randomly hit this 403 problem. It was only by chance I found a link to that topic on whatever search I tried sticking in a search engine this time around.

I wasn’t even aware of the manage apps section buried within the apps settings, so I’ve manually been having to go through the entire authentication process every 3 months!

Also, how come some third party apps such as IFTTT and flux don’t need to be refreshed every 90 days? They simply state “Ongoing session” instead of “x days remaining”. Is there a way I can force my app to have an ongoing session as well?


Not that it helps here, Starling notify you of the 90 day expiry period and you are asked to approve in app to continue uninterrupted, other than this approval.

So do Monzo, but this isn’t about in the app, this is in the API

Fully aware, my response was in relation to the API. On Starling if you use a personal access token to access the API you get the notification in app before the 90 days and provide approval as you would for other connected services.

1 Like