Does the token expire when the employee who made it leaves?

No. It keeps working until someone deliberately revokes it. That is why offboarding must include reviewing and revoking system user access.

Why not just use a person's login for the integration?

Because that token is short-lived and tied to one human — the integration breaks when they leave or their access changes. A system user is the durable, business-owned alternative.

How do I make sure an old token isn't still active?

Audit your system users in Business Settings and revoke any that belong to retired tools or departed staff. Treat it as a recurring security check.

System User Token Persistence

Why do system user tokens last longer?

Regular user tokens expire in hours; system user tokens are long-lived so automated integrations don't keep breaking. Here is why — and why that cuts both ways.

When a person logs in through an app, the access token they get is short-lived by design — it expires fairly quickly and the app has to refresh it. A system user token is different: it is built to be long-lived, so an integration can keep running unattended for a long time without re-authenticating. That is exactly what makes automations reliable — and exactly why a leftover system user token is a security risk.

If your situation is actually …

You want to understand what a system user is first → What is a system user →

Why they last longer

A regular user token is tied to a human session, so Meta keeps it short to limit exposure if it leaks. That is fine for an app a person uses interactively, but it would be a nightmare for an unattended server that needs to make API calls at 3am — it would constantly need a human to log back in.

A system user solves that. Because it represents the business rather than a person, its token is designed to persist, so the automation just keeps working. No nightly logins, no broken syncs when someone is on holiday.

The security trade-off

The same persistence that keeps integrations alive is what makes system user tokens dangerous to forget. A token does not expire just because the employee who created it left, or because the tool that used it was retired. It keeps holding access until someone revokes it.

So system user tokens have to be managed actively: scope them to only the assets they need, keep an inventory of what exists, and make revoking them a standard part of offboarding a person or decommissioning a tool. "It will time out eventually" is not true here.

Frequently asked questions

It is long-lived by design — built to persist so unattended integrations keep working. It does not expire on the short timescale a normal user login does.

Delvia

Access issues are easier to prevent when roles, owners, and responsibilities are recorded clearly

Most access problems trace back to the same gap — no clear record of who has access, what role they hold, and what should happen when that changes. Delvia helps you keep that record so problems are visible before they become incidents.

Delvia is free on iPhone and Android. Keep a clear record of who has access to your accounts — and what to do when that changes — wherever you are.

Download on theApp Store GET IT ONGoogle Play