v3.0 What is the best practice for refreshing access tokens?

SOLVED
Go to solution
DanH069
Rookie
0 Votes

What is the best practice for refreshing access tokens?

 

Do I wait until an error is generated?

Do I refresh based on age of access token?

Is it bad to refresh the token before every request?

 

Thoughts?

1 ACCEPTED SOLUTION
Jimmy_D
Employee

Hello @DanH069,

 

Thank you for reaching out to Constant Contact's API Support.

 

I would suggest one of the first two options. I personally like to go with option two. I create two timers; one of the timers is set for two hours and the other is set for 24 hours. The two hour timer is reset any time I make an API call. If either timer reaches its end then I will go through the refresh process.


Regards,
Jimmy D.
Tier II API Support Engineer

View solution in original post

5 REPLIES 5
Jimmy_D
Employee

Hello @DanH069,

 

Thank you for reaching out to Constant Contact's API Support.

 

I would suggest one of the first two options. I personally like to go with option two. I create two timers; one of the timers is set for two hours and the other is set for 24 hours. The two hour timer is reset any time I make an API call. If either timer reaches its end then I will go through the refresh process.


Regards,
Jimmy D.
Tier II API Support Engineer
JulieK7237
Campaign Collaborator
0 Votes

Can you explain the problem with option 3? Other than potentially hitting a rate limit (which for my application will not happen), what is wrong with refreshing before every request?

Jimmy_D
Employee
0 Votes

Hi @JulieK7237,

 

Option 3's only down side really is the rate limit. If that is not an issue with your integration then feel free to use it.


Regards,
Jimmy D.
Tier II API Support Engineer
CODOH
Rookie
0 Votes

Another downside to option 3 is that it immediately invalidates the access token so if the program is interrupted after the call to refresh the access token, but before persisting the updated access and refresh tokens the program won't be able to recover on it's own without manually going through the first step. I really wish there was an option for basic-auth for server-side integration. Even options 2 and 3, while workable, turn into a lot of work maintaining timers and coordinating state between concurrent workers.

CODOH
Rookie
0 Votes

Correction: It does not immediately invalidate the current access token, only the refresh token. The problem as described above still stands, however. Anyway, I think I found a somewhat workable solution using (1) for now. Will have to monitor for errors cropping up once deployed.

Resources
Developer Portal

View API documentation, code samples, get your API key.

Visit Page

Announcements

API Updates

Join our list to be notified of new features and updates to our V3 API.

Sign Up