Correction: It does not immediately invalidate the current access token, only the refresh token. The problem as described above still stands, however. Anyway, I think I found a somewhat workable solution using (1) for now. Will have to monitor for errors cropping up once deployed. ... View more

Another downside to option 3 is that it immediately invalidates the access token so if the program is interrupted after the call to refresh the access token, but before persisting the updated access and refresh tokens the program won't be able to recover on it's own without manually going through the first step. I really wish there was an option for basic-auth for server-side integration. Even options 2 and 3, while workable, turn into a lot of work maintaining timers and coordinating state between concurrent workers. ... View more