# Authentication limitations

A maximum of 50 refresh tokens are allowed per combination if `client_id` and `user_id.` When this limit is exceeded, older refresh tokens are automatically deleted.

To be able to use our API, you will need an `access_token` that is generated most of the times via a `refresh_token`.  An `access_token` has usually a life-time of 1 hour, but a `refresh_token` has a bigger life time, by default from 4 weeks to 3 years.

| Token type      | Maximum tokens                 |
| --------------- | ------------------------------ |
| `refresh_token` | `50 per client_id and user_id` |
| `access_token`  | `Infinite`                     |

{% hint style="info" %}
Important:  Please make sure to store `refresh_token` in redis or some similar caching provider, and ALWAYS in a secure storage.
{% endhint %}