---
title: OAuth persistent grants cleanup
description: PingFederate provides two cleanup tasks for persistent grants.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_oauth_persis_grants_cleanup
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_oauth_persis_grants_cleanup.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: May 22, 2025
---

# OAuth persistent grants cleanup

PingFederate provides two cleanup tasks for persistent grants. One task manages expired grants, while another task caps the number of grants based on a combination of user, client, grant type, and authentication context.

Persistent authorizations include those obtained by OAuth clients in the following ways:

* Grants obtained or updated using the authorization code, resource owner credentials, or device authorization grant type, in conjunction with the refresh token grant type

  |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
  | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  |   | If the use cases involve mapping attributes from authentication sources, such as identity provider (IdP) adapter instances or IdP connections, or password credential validator (PCV) instances to the access tokens, directly or through persistent grant-extended attributes, storing these attributes from authentication sources and their values along with the persistent grants maintains them for reuse when clients subsequently present refresh tokens for new access tokens. |

* Grants obtained or updated by using the implicit grant type, for which PingFederate is configured to reuse existing persistent grants

  |   |                                                                                                                                                                                                                                                       |
  | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  |   | If the use cases involve mapping attributes from authentication sources or PCV instances to the access tokens, runtime procedures obtain attribute values for each token request, but persistent grants do not store with attributes or their values. |

* Persistent grants and any associated attributes and their values remain valid until the grants expire or until PingFederate explicitly revokes or cleans them up. PingFederate's persistent grant cleanup routine manages grants that have expired based on the **Persistent Grant Max Lifetime** or the **Persistent Grant Idle Timeout** policy setting.