We're currently debugging an issue wherein the generated Apigee access token is supposedly being revoked randomly. We have an existing policy wherein if the token endpoint is called, it looks up any existing token the user (using a cache) has and invalidates it using the OAuthV2 policy. The endpoint would then proceed to generate a new access token.

From what I've read in the documentation, Apigee only invalidates a token through the OAuthV2 policy or through the management UI. Is there any other instance wherein an access token can be invalidated? Maybe due to inactivity? I know it's highly unlikely but thought I'd ask just in case there are things that I haven't found in the docs or isn't documented at all.

I highly suspect that the client is calling the token endpoint for some reason and gets the existing token invalidated but isn't using the new token it gets back. With the high volume of requests coming in the test environment, I am in the process of adding more detailed logging to debug the issue. Tracing it through the UI proves to be futile given the limited number of requests it can capture.