Refresh Token

Frequent Participant

Refresh Token

I know the access_token expires after 2 hours without use and 24 hours at most.

How soon does the refresh token expire?

Neil

8 REPLIES 8
Moderator

Hello @VAFBM,

 

Thank you for reaching out to Constant Contact's API Support.

 

Based on our settings/documentation and testing; the Refresh Token does not expire. Please keep in mind our production tokens have not gone more than 12 months, but they are not supposed to expire.


Regards,
Jimmy D.
Tier II API Support Engineer

If the refresh tokens don't expire, how should apps handle the following error?

 

{ error_description: 'unknown, invalid, or expired refresh token', error: 'invalid_grant' }

 

When this happens in an app that's machine to machine that doesn't receive user input, there doesn't seem to be a way to recover and refresh the tokens.

 

Since the CC API seems to ignore a machine to machine scenario where refresh tokens really don't make a whole lot of sense, especially since using the API key and secret seems reasonable when a user's browser isn't involved, I'm hoping someone can provide information on how to recover from an error when a refresh token becomes invalid. Otherwise, please confirm that the CC API cannot be (reliably) used in a machine to machine scenario.

Hi @GRRA,

 

That error message occurs when the Refresh Token you used was invalidated by generating another Refresh Token. When using the oAuth flow you would generate one Access/Refresh Token for a single Constant Contact account and then use that Refresh Token to generate a new Access/Refresh Token. When you generate the new Access/Refresh Token this will invalidate the previous tokens.


Regards,
Jimmy D.
Tier II API Support Engineer

There are at least two scenarios I can see where this can break down - 1) error occurs after receiving the updated tokens but before the token is stored in the db, and 2) multiple requests to refresh the tokens in flight simultaneously. In the first case, there wouldn't be a way to establish a new refresh token in a machine to machine scenario since the original refresh token would be invalid and there’s no user to authenticate and generate a new set of tokens. In the other case, the second request to refresh the tokens could update the db storing the refresh token and cause the refresh token obtained by the first request to be invalidated before the first overall request is complete.

 

I still don’t understand why this flow would be appropriate in machine to machine scenarios where all requests are related to a single account. Why can't the API key and secret be used when exposing the secret via user's browser isn't a concern? I don't think customers should be required to store tokens or any other state just to use the CC API.

I second this point. You are making it nearly impossible to implement this in any CMS. I've added a hook to sign people up in my CMS and I have to physically open my browser and refresh the token using your redirect URL all the time because this token keeps being invalidated and I am doing it the proper way by using the refresh token, NOT the access token. How in any world is this practical. 

I am also facing this issue as I am using same refresh token that was generated at OAuth but getting the same error { error_description: 'unknown, invalid, or expired refresh token', error: 'invalid_grant' } and i have not done any OAuth that invalidate refresh token

I've run into the same scenario. The `Server Flow` is not a Server Flow at all if it requires client interaction to authenticate.

 

My refresh_token keeps getting invalidated also for some reason.

Hi @JustinZ21,

 

The server flow refers to an application that is server side application versus a client side application such a mobile app.

 

If your Refresh Token is getting invalidated that is most likely due to generating another set of Access/Refresh Tokens for the same account.


Regards,
Jimmy D.
Tier II API Support Engineer
Developer Portal

View API documentation, code samples, get your API key.

Visit Page