An access_token is a token used to make API requests related to a specific Item. Access tokens do not expire, although they may require updating. For example, updating is needed when a user changes their password or when working with European institutions that comply with PSD2's 180-day consent window. For more information, see when to use update mode.
If compromised, an access_token can be revoked via /item/access_token/invalidate; this endpoint returns a new access_token and immediately invalidates the previous access_token. If no longer needed, it can be revoked via /item/remove.
If, for any reason, an Item ever does need re-authentication, any API call will return the ITEM_LOGIN_REQUIRED error. To track Items that go into this error state, you will want to implement webhooks.