Why do access_tokens expire and how can you refresh them?
Our API expires the
access_token in order to reduce the risk of your users’ calendar data being compromised. When you obtain authorization to access a user’s calendar, a
refresh_token will be issued alongside the
access_token to allow your application to obtain a new
access_token without user involvement.
refresh_token should be stored against your user record to ensure you can maintain access to the user’s calendar data.
To determine when a token has expired, our API will respond with a
401 status code when making an api request or you can track it using the
expires_in parameter located in the response body when requesting an access_token. It’s at this point where you will need to refresh the token to continue to interact with the user’s calendar data.
access_token and the
refresh_token should be updated in your user record. The
refresh_token is permanent until is used, however it may change at this point.
Whilst in development mode we expire the token quite quickly, a few hours or so, to ensure that this is being handled properly before your app gets into production. We did have some situations where customers integrated so quickly that they hadn’t dealt with this before going live and thus caused production 🔥 when calendar access was expired. Never pleasant to deal with.
After a period we then push this out to a longer time frame to better balance the necessity to refresh.