There is no way to do this. The base URLs generated by the API expire after 60 minutes according to the documentation, and the sessions also expire. I assume they don't want apps to have permanent access to photos in case the user forgets or the app gets hacked. The best thing to do is to probably download a copy of the photo and store it on your servers. I thought they wanted a similar flow to the Google Drive Picker API, but that one doesn't even function without a restricted scope that already gives you access to the user's full drive.