cancel
Showing results for 
Search instead for 
Did you mean: 

Refresh Token

Occasional Contributor

Refresh Token

I know the access_token expires after 2 hours without use and 24 hours at most.

How soon does the refresh token expire?

Neil

Tags (1)
4 REPLIES 4
Moderator

Re: Refresh Token

Hello @VAFBM,

 

Thank you for reaching out to Constant Contact's API Support.

 

Based on our settings/documentation and testing; the Refresh Token does not expire. Please keep in mind our production tokens have not gone more than 12 months, but they are not supposed to expire.


Regards,
Jimmy D.
Tier II API Support Engineer

Re: Refresh Token

If the refresh tokens don't expire, how should apps handle the following error?

 

{ error_description: 'unknown, invalid, or expired refresh token', error: 'invalid_grant' }

 

When this happens in an app that's machine to machine that doesn't receive user input, there doesn't seem to be a way to recover and refresh the tokens.

 

Since the CC API seems to ignore a machine to machine scenario where refresh tokens really don't make a whole lot of sense, especially since using the API key and secret seems reasonable when a user's browser isn't involved, I'm hoping someone can provide information on how to recover from an error when a refresh token becomes invalid. Otherwise, please confirm that the CC API cannot be (reliably) used in a machine to machine scenario.

Moderator

Re: Refresh Token

Hi @GoldenRetrieverR,

 

That error message occurs when the Refresh Token you used was invalidated by generating another Refresh Token. When using the oAuth flow you would generate one Access/Refresh Token for a single Constant Contact account and then use that Refresh Token to generate a new Access/Refresh Token. When you generate the new Access/Refresh Token this will invalidate the previous tokens.


Regards,
Jimmy D.
Tier II API Support Engineer

Re: Refresh Token

There are at least two scenarios I can see where this can break down - 1) error occurs after receiving the updated tokens but before the token is stored in the db, and 2) multiple requests to refresh the tokens in flight simultaneously. In the first case, there wouldn't be a way to establish a new refresh token in a machine to machine scenario since the original refresh token would be invalid and there’s no user to authenticate and generate a new set of tokens. In the other case, the second request to refresh the tokens could update the db storing the refresh token and cause the refresh token obtained by the first request to be invalidated before the first overall request is complete.

 

I still don’t understand why this flow would be appropriate in machine to machine scenarios where all requests are related to a single account. Why can't the API key and secret be used when exposing the secret via user's browser isn't a concern? I don't think customers should be required to store tokens or any other state just to use the CC API.