Access token: short‑lived. Treat it as expiring soon; use expiration_time from credentials to decide when to refresh.
Refresh token: long‑lived. Use it to obtain new access tokens.
Rotation/invalidation: when you refresh, the previous access token is immediately invalidated (cannot be reused).
Scope/permissions: tied to the app install and user consent; changes in workspace/base permissions can cause 401/403 on previously valid tokens.
Error signals:
401/invalid_token when the access token is expired or was just rotated.
403/permission errors when scopes or resource access changed.
Client usage: always send Authorization: Bearer <access_token>. Refresh proactively a few minutes before expiration_time to avoid edge failures.
WHen you refresh an airtable token the old token gets invalidated.