We all started somewhere! Share your experience on the Get Advice: Let's Get Started Sweepstakes thread and be entered to win a $100 credit on your Constant Contact account.

v3.0 What is the best practice for refreshing access tokens?

SOLVED
Go to solution
DanH069
Participant

v3.0 What is the best practice for refreshing access tokens?

What is the best practice for refreshing access tokens?

 

Do I wait until an error is generated?

Do I refresh based on age of access token?

Is it bad to refresh the token before every request?

 

Thoughts?

1 ACCEPTED SOLUTION
Jimmy_D
Moderator

Hello @DanH069,

 

Thank you for reaching out to Constant Contact's API Support.

 

I would suggest one of the first two options. I personally like to go with option two. I create two timers; one of the timers is set for two hours and the other is set for 24 hours. The two hour timer is reset any time I make an API call. If either timer reaches its end then I will go through the refresh process.


Regards,
Jimmy D.
Tier II API Support Engineer

View solution in original post

5 REPLIES 5
Jimmy_D
Moderator

Hello @DanH069,

 

Thank you for reaching out to Constant Contact's API Support.

 

I would suggest one of the first two options. I personally like to go with option two. I create two timers; one of the timers is set for two hours and the other is set for 24 hours. The two hour timer is reset any time I make an API call. If either timer reaches its end then I will go through the refresh process.


Regards,
Jimmy D.
Tier II API Support Engineer

View solution in original post

JulieK7237
Regular Participant

Can you explain the problem with option 3? Other than potentially hitting a rate limit (which for my application will not happen), what is wrong with refreshing before every request?

Hi @JulieK7237,

 

Option 3's only down side really is the rate limit. If that is not an issue with your integration then feel free to use it.


Regards,
Jimmy D.
Tier II API Support Engineer
CODOH
Occasional Participant

Another downside to option 3 is that it immediately invalidates the access token so if the program is interrupted after the call to refresh the access token, but before persisting the updated access and refresh tokens the program won't be able to recover on it's own without manually going through the first step. I really wish there was an option for basic-auth for server-side integration. Even options 2 and 3, while workable, turn into a lot of work maintaining timers and coordinating state between concurrent workers.

CODOH
Occasional Participant

Correction: It does not immediately invalidate the current access token, only the refresh token. The problem as described above still stands, however. Anyway, I think I found a somewhat workable solution using (1) for now. Will have to monitor for errors cropping up once deployed.

Developer Portal

View API documentation, code samples, get your API key.

Visit Page