1

We would want to avoid re-login in the user every hour. Is it ok to continually refresh the token on the server before it expires?

Do you have plans to increase the token expiration time to avoid less calls to the API?

newsum
  • 13
  • 2
  • 1
    Does *who* have plans to increase the token expiration time? Are you mistaking StackOverflow for a Beats Music API developer forum? – paddy Mar 19 '14 at 22:47
  • 1
    Probably has something: https://developer.beatsmusic.com/docs – SnakeDoc Mar 19 '14 at 22:48
  • 2
    I imagine [this](https://developer.beatsmusic.com/support) is what caused the confusion. – Blorgbeard Mar 19 '14 at 22:49
  • @SnakeDoc Good find. That page explicitly mentions that if one really needs to extend the lifetime of a session, they can obtain a *refresh token* which allows them to request new *access tokens*. – paddy Mar 19 '14 at 22:55

2 Answers2

2

Yes absolutely, the refresh token serves as a way to revoke an access token. The more you refresh, the more you will revoke the potential of an access token being leaked and misused.

A short expiration time mitigates the risk of a long-lived access token leaking.

beatsplatform
  • 84
  • 4
  • I guess the point of my question, after the 1-hour window, can I still use the refresh token to get a new access token? or else I would have to continually refresh the access token every hour until the user manually logs out of my app. is this right? – newsum Mar 20 '14 at 06:32
  • 1
    Yes absolutely, a refresh token is issued with every access token so you can continually refresh. This is correct. – beatsplatform Mar 25 '14 at 23:31
1

I have tried it in my Django project, and after an hour, not only the access token expired but also the refresh token. Within one hour, I am using the refresh token to get a new access token and refresh token, but after one hour, I can't use them both.

So, I guess, we need to refresh it before it expires, in our cases, maybe every 50 minutes or something.

Xun Ruan
  • 53
  • 6