0

I need to access a REST API using a token. I am able to create a token that expires in 1 hour using one endpoint and then use that token to fetch some data at another endpoint.

I need to call the second endpoint multiple times every day and I could just create a token and then fetch the data each time, but that feels silly so I wonder what would be the right way to do this.

Should I be storing the token and the time of expiration and then reusing it until I know it's expired before I get a new token or how should I go about doing this? The only tokens I've used before are ones that don't expire, so I'm not really sure how to do this.

Andri
  • 453
  • 4
  • 22
  • Have you looked at OAuth2? – Evert Feb 16 '21 at 03:50
  • Yes a bit. I understand how the basics of how it should work and I know how to get it to work for whatever I need. Just didn't want to do something incorrectly (such as creating tokens every time instead of refreshing them or something of that sort) – Andri Feb 16 '21 at 19:00

1 Answers1

1

I would implement the Pseudocode logic below:

1/a/ Chek if token != Null? If true go to 3/
1/b/ If false, token==Null, go to 2/

2/ getToken() {make a resquest for a new token}, call 3/ after successfully retrieving a new token.

3/ queryAPI(token) {query the REST API}. If the token is expired you will get error 401 (sometimes 400 or 403 when people fail to send back the right error code, test it with your API), using a try catch, purge (delete) the current token and then go to 2/. If code 200 go to 4/

4/ ???

5/ profit

This way you do not need to check yourself if the token is expired, the API Endpoint will tell you

Antonin GAVREL
  • 9,682
  • 8
  • 54
  • 81
  • Ok, thanks. That seems easy enough. And I guess it makes sense, still feels a bit strange to have to just try to use it until you get an error. Is this the "right way" to do it or just an easy way that works? – Andri Feb 15 '21 at 22:52
  • I would say an easy way that works and also the right way if you are not limited on the number of query you can make to the API endpoint – Antonin GAVREL Feb 15 '21 at 22:54
  • Note that in the case that the endpoint takes a long time to return error 401 you might want to implement a check on the token expiration by comparing with current timestamp, but then you have to be careful with the timezone. – Antonin GAVREL Feb 15 '21 at 22:55
  • And just to be sure, I'm not usually expected to do anything to clean up old tokens, they just expire and disappear from the system, right? (I don't think I'm able to do remove them anyway, but just thought I'd ask in case I'm mistaken) – Andri Feb 15 '21 at 22:58
  • It depends on the auth server issuing your token, if they have good security policy they should expire in at most 24h, but I can't guarantee this, it depends on their settings – Antonin GAVREL Feb 15 '21 at 22:59
  • When the token is created, it says it expires in 3600 (presumably seconds). But I have no way of checking if they are deleted or what the expiration really means. They do stop working after that time though. – Andri Feb 15 '21 at 23:15
  • Then it means that they are good for 1 hour, which is a recommended length of time for a security policy, the tokens are not necessarily deleted, they will just stop working – Antonin GAVREL Feb 15 '21 at 23:24
  • Thanks. Marked as the answer. FYI, the API provider suggested I'd do what you recommended a few minutes ago. – Andri Feb 16 '21 at 19:02