Refresh Token

Highlighted
Occasional Contributor

Refresh Token

I know the access_token expires after 2 hours without use and 24 hours at most.

How soon does the refresh token expire?

Neil

Tags (1)
4 REPLIES 4
Highlighted
Moderator

Re: Refresh Token

Hello @VAFBM,

 

Thank you for reaching out to Constant Contact's API Support.

 

Based on our settings/documentation and testing; the Refresh Token does not expire. Please keep in mind our production tokens have not gone more than 12 months, but they are not supposed to expire.


Regards,
Jimmy D.
Tier II API Support Engineer
Highlighted
Occasional Advisor

Re: Refresh Token

If the refresh tokens don't expire, how should apps handle the following error?

 

{ error_description: 'unknown, invalid, or expired refresh token', error: 'invalid_grant' }

 

When this happens in an app that's machine to machine that doesn't receive user input, there doesn't seem to be a way to recover and refresh the tokens.

 

Since the CC API seems to ignore a machine to machine scenario where refresh tokens really don't make a whole lot of sense, especially since using the API key and secret seems reasonable when a user's browser isn't involved, I'm hoping someone can provide information on how to recover from an error when a refresh token becomes invalid. Otherwise, please confirm that the CC API cannot be (reliably) used in a machine to machine scenario.

Highlighted
Moderator

Re: Refresh Token

Hi @GoldenRetrieverR,

 

That error message occurs when the Refresh Token you used was invalidated by generating another Refresh Token. When using the oAuth flow you would generate one Access/Refresh Token for a single Constant Contact account and then use that Refresh Token to generate a new Access/Refresh Token. When you generate the new Access/Refresh Token this will invalidate the previous tokens.


Regards,
Jimmy D.
Tier II API Support Engineer
Highlighted
Occasional Advisor

Re: Refresh Token

There are at least two scenarios I can see where this can break down - 1) error occurs after receiving the updated tokens but before the token is stored in the db, and 2) multiple requests to refresh the tokens in flight simultaneously. In the first case, there wouldn't be a way to establish a new refresh token in a machine to machine scenario since the original refresh token would be invalid and there’s no user to authenticate and generate a new set of tokens. In the other case, the second request to refresh the tokens could update the db storing the refresh token and cause the refresh token obtained by the first request to be invalidated before the first overall request is complete.

 

I still don’t understand why this flow would be appropriate in machine to machine scenarios where all requests are related to a single account. Why can't the API key and secret be used when exposing the secret via user's browser isn't a concern? I don't think customers should be required to store tokens or any other state just to use the CC API.

Developer Portal

View API documentation, code samples, get your API key.

Constant Contact Would Like To Hear From You!

We want to hear from customers like you about your favorite features and how they have helped your business or organization. Tell us by answering a few questions in...

Read More
Featured