I’ve successfully used the POST https://services.poynt.net/token endpoint to retrieve a JWT bearer authentication token to make requests with. I’m wondering how long this token will be valid for? I noticed that a “refreshToken” is also returned with the response. In what scenario will I need to use it?
Typically the access tokens (JWT) in live env are valid for 24 hrs. The expiry time is in the JWT itself. You should be checking for validity of the access token before you use it to make an API call. If you determine that the access token has expired or received a 401 error from the API call, you have two options:
- Use the Refresh token to obtain a new access token & new refresh token.
- Request new access token and refresh token using your API credentials.
It’s recommended to use option #1 so it gives you flexibility of not storing your API credentials on all your servers and also provides more information on how long the App is running and optimize the token issuance from a security point of view.
Let me add a quick doc with the API details.
here you go: http://poynt.github.io/developer/doc/authentication-authorization.html (please refresh your browser if you do not see updated page with sample api calls and code).
Thanks for the quick response. A couple follow up questions:
-
“You should be checking for validity of the access token before you use it to make an API call” – how do you suggest I do this without making an API call? I attempted to decode the JWT bearer token I received from the Poynt API using the public key from my .pem file, and I was unable to decode it. Is this expected?
-
Can I use the same refresh token over and over, or does that expire as well? Wondering what I need to persist in the database vs. what needs to be generated on the fly.
-
Here is a sample on how to parse the JWT using the Nimbus-JSON-JWT library: https://github.com/poynt/PoyntSamples/blob/master/app/src/main/java/co/poynt/samples/SampleActivity.java#L325 - this is of course not doing the actual validation of the signature - for which you would need our server’s public key. Looks like our public key is not published anywhere but you can grab it from our server using openssl command like this:
- $ openssl s_client -showcerts -connect services.poynt.net:443 </dev/null
- You will see a bunch of certs printed in PEM format. just extract all the certs you see enclosed in “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----” lines and import them into your keystore or which ever format your code needs.
-
Refresh tokens are “one time” use tokens. You cannot use them more than once.
Perfect, I was able to decode the JWT token using the certificate. Thanks!
How can we generate the JWT token to get the Access token in Android app ? Could you please provide me sample code for generating JWT token.