Podio Refresh token Expiry

0
votes

I am building an app that allows people to generate simple emails - so I want to give the users a plug and forget experience. Sign in once and it just works.when you make changes to your podio account, a email is triggered via webhooks

I understand that the podio refresh token handed over by Podio exists for 28 days.While this works perfectly fine initially, but after 28 days, my app will stop working for users who signed up with Podio and expect that it works flawlessly. What makes it even more difficult is, there is no way to find out when the refresh token expires and when I will get new refresh token. Will it be 1 hour, 2 hours or 3 hours before the 28 day period expires ?

Asking the user to log in every 28 days, so I can get new refresh token doesn’t sound feasible.

So my question is

1) When is a new refresh token generated for my users

2) Invalidating the token invalidates only the access token not refresh token. why so?

I have seen similar questions on podio forums before but none of them are answered

https://help.podio.com/hc/en-us/community/posts/206669587-Get-new-refresh-token

1
oauth-2.0podio

1 Answers

5
votes

When you request an Access token, what you will get back is a JSON payload like this:

{
  "access_token": ACCESS_TOKEN,
  "token_type": "bearer",
  "expires_in": EXPIRES_IN,
  "refresh_token": REFRESH_TOKEN,
  "scope": GRANTED_SCOPE_STRING,
  "ref":
  {
    "type": "user",
    "id": USER_ID
  }
}

It has the access_token, refresh_token, and how long the access_token is valid.

If you are directly making the API calls without a SDK/client library you need to handle refreshing of access_token when it is expired. To implement that, you may need to store the timestamp you got the access token, and the response data of access token request and do the comparison and determine whether the access token is expired before every API call. If the token is expired you need supply the existing refresh_token and get the new access token details using this API call and update time timestamp in the store.

If you are using an SDK it may have auto-refreshing of access tokens (e.g. podio-rb, podio-php, podio-net)