0

We are building a customer application. For that, we are using accounting software (ZOHO). Items will be fetched from the accounting software and bills will be generated directly on accounting software using API. API is using JWT for authentication. To generate JWT tokens for each user then is a 'user consent page', which should be manually approved from the web browser. So, for each customer we are not going to register as a user, we are planning to create them as just customers.

What we are actually planning to do now, is create one JWT token pair (After manual approval) and use it for all customers for all API calls. My first concern, is that will be a good approach?

The second concern, the Token has an expiry of 1 hour. After that, we should use the refresh token to generate the new token. How we can efficiently handle this on the web and mobile (Customers on the web and mobile simultaneously using the same tokens for API calls and the Token change should reflect on all client devices)? Doing this is a good idea?

Jinto Antony
  • 458
  • 8
  • 26

1 Answers1

0

In this case, you can create a Connection for Server-Based Application in Zoho Books and thereby authenticate the API calls using OAuth. When you set this integration up, the communication through API will be only between Zoho Books and your third-party application, and not directly between Zoho Books and your customers. Therefore, you can validate the user interface for your customers at your end.

When you initially build the API integration, you will be creating a Refresh Token. This can be hardcoded in your script and set to generate Access Token from it every hour. Please note that the Refresh Token and Access Token have to be generated separately for Web-based and Mobile-based applications. Here is our help resource for your reference. You can store the access token and expiry time, and verify the expiry time before using the access token. If it has expired, generate a new access token. Please take extra care to ensure that the refresh tokens are not exposed.

I hope this helps. Feel free to contact us if you have further queries.

Yousaf_Khan
  • 1