OAuth refresh strategies - Transfer

Dwolla’s implementation of the OAuth 2.0 standard uses short-lived access tokens and long-lived refresh tokens for account authorization. When a user account grants authorization to an application, Dwolla will issue an access token which expires in 1 hour and a refresh token which expires in 60 days. You’ll likely want to access a user account for longer than 1 hour, which means you’ll want to implement a way to refresh authorization.

Note: A user account can represent your own account or an account that belongs to a user of your application. Follow these strategies even if you’re only using OAuth in order to access your own account via the API.

Important: We recommend securely storing access/refresh tokens in a database with the associated user account.

There are two recommended strategies for managing short-lived access tokens. If your application relies heavily on calling the Dwolla API several times in a day, we recommend setting up a cron job to refresh authorization constantly during the day. However, if for example, your application only calls Dwolla’s API once a day or once a month, we recommend refreshing your token pair prior to making any API call.


Production: Operational

Financial institutions play an important role in the Dwolla network.

Dwolla, Inc. is an agent of Veridian Credit Union and all funds associated with your account in our network are held in one or more pooled accounts at Veridian Credit Union. These funds may not be eligible for share insurance by the National Credit Union Share Insurance Fund. Dwolla, Inc. is the operator of a software platform that communicates user instructions for funds transfers to Veridian Credit Union.