Refreshing Tokens
Access tokens have limited and usually very short lifetime. This is for reasons of security and performance. After an access token has expired, the client has to request a new one to continue using the FotoWeb API. This can be done in two ways:
- Repeat the authorization process.
- Request a new access token using a refresh token.
Refresh tokens may be obtained together with access tokens if authorization code grant type is used. Refresh tokens are not available when using implicit grant type.
A new access token is requested using a refresh token as follows:
POST https://myfotowebserver.com/fotoweb/oauth2/token Content-Type: application/x-www-form-urlencoded Accept: application/json grant_type=refresh_token&refresh_token=REFRESH_TOKEN&client_id=CLIENT_ID&client_secret=CLIENT_SECRET
where
Parameter |
Description |
---|---|
grant_type |
REQUIRED. Must always be refresh_token . |
client_id |
REQUIRED. The unique ID of the client, which was obtained during client registration. |
client_secret |
The secret of the client, which was obtained during client registration. REQUIRED if the client is a web application (was registered with a client secret). MUST NOT BE GIVEN if the client is a native application or single-page application (was registered without a client secret). |
refresh_token |
REQUIRED. The refresh token obtained during authorization. |
On success, the server responds as follows:
200 OK Content-Type: application/json
with the following response body:
{ "access_token": ACCESS_TOKEN, "token_type": "bearer", "expires_in": EXPIRES_IN_SECONDS, "refresh_token": REFRESH_TOKEN }
where
Parameter |
Description |
---|---|
access_token |
The access token that is used to authorize requests to the FotoWeb API |
token_type |
This is always bearer . |
expires_in |
Number of seconds after which the token is expected to expire. |
refresh_token |
OPTIONAL: A new refresh token. |
The application can obtain the access token by parsing the response body.
If FotoWeb issues a new refresh token in the response, then the old refresh token (i.e., the one used in the request) is no longer valid.
It is unspecified whether and when FotoWeb will issue new refresh tokens when they are used to request new access tokens, so the client MUST support this case, even if it appears that FotoWeb does not issue new refresh tokens.
Refresh token life span
Refresh tokens have unlimited lifetime. However, future versions may have possibilities of limiting refresh token lifetime. Also, both users and administrators may perform actions that cause refresh tokens to be deleted (such as by changing application settings or “logging our of all sessions”).
Applications need to handle the case that a refresh token has been invalidated and in this case should either ask the user to re-authenticate and/or show an error message (depending on what is appropriate and meaningful in the situation).
For this reason, it is not recommended to use refresh tokens for non-interactive applications, as the user would not be able to take action when a refresh token is invalidated. For non-interactive applications, please use FWAPIToken: API Authentication for non-interactive clients.