Token refresh API

Developers
#1

I have Python code that issues a token API request to generate a new access token. The code works fine, returning new access and refresh tokens UNTIL the access token expires (24 hours after being issued). After that, the API responds with:

{“code”:“INVALID_ACCESS_TOKEN”,“httpStatus”:401,“message”:“Access token is missing or invalid.”,“developerMessage”:“Access token is not a valid token. Token might have expired.”,“requestId”:“ae36c2ea-0046-47e3-ba19-3acf03e28cd2”}

Attempting the token API without the authentication header gets the response:

“code”:“INVALID_ACCESS_TOKEN”,“httpStatus”:401,“message”:“Access token is missing or invalid.”,“developerMessage”:“authorization header must carry access token.”,“requestId”:“bcf33f59-fe5d-4c64-8166-f380455673cb”}

The documentation is mixed regarding whether the authentication header is required on token refresh - in the python example at the bottom of https://poynt.github.io/developer/doc/authentication-authorization.html, there is no authentication header indicated. However on https://poynt.com/docs/api/#index-index, the HTTP Headers section indicates the authentication token is always required.

So I have three questions:

  1. Is the authentication token required on a token refresh API request?

  2. Does token refresh actually work after the access token has expired and if so, could you provide some suggestions on what I might look at to determine why this is occurring?

  3. Do I need to refresh access tokens prior to their expiration instead of expecting to be able to refresh them after expiration?

The python (3.4) code snippet that issues the token refresh request (and gets a 401) is below:

request_data = {
    'grantType': 'REFRESH_TOKEN',
    'refreshToken': refresh_token,
}

headers = {
    'api-version': '1.2',
    'Poynt-Request-Id': str(uuid4()),
    'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
    'Authorization': 'Bearer ' + access_token,
}

url = 'https://services.poynt.net/token/'
response = requests.post(url, headers=headers, data=request_data)

Thanks, peter

#2

Sorry for the confusion.

(1) no you do not need authorization header when obtaining new access token using the refresh token. Here is a sample API call that I just verified:
06-11 12:32:50.804 D/CLOUD-API( 4370): ---> HTTP POST https://services.poynt.net/token 06-11 12:32:50.804 D/CLOUD-API( 4370): api-version: 1.2 06-11 12:32:50.805 D/CLOUD-API( 4370): User-Agent: Test client 06-11 12:32:50.805 D/CLOUD-API( 4370): Content-Type: application/x-www-form-urlencoded; charset=UTF-8 06-11 12:32:50.805 D/CLOUD-API( 4370): Content-Length: 179 06-11 12:32:50.806 D/CLOUD-API( 4370): POYNT-REQUEST-ID: 98a505f7-015c-1000-dfee-819f74a9e26f 06-11 12:32:50.805 D/CLOUD-API( 4370): grantType=REFRESH_TOKEN&refreshToken=1%3A2%3A1%3A2%3Aj%2BW2oGGjkGvwbechkmMxrK515D%2BSs%2BK3tRt6lbCB%2FhPE42Xzvr3w0%2FZntpAx72qNwYbiuwfUSYU84G%2FhM%2FlPNWW7QmBDVUpnkw%2BhJi5gUQw%3D 06-11 12:32:50.805 D/CLOUD-API( 4370): ---> END HTTP (179-byte body)

(2) Yes the primary purpose of the refresh token is to generate new accessToken when current accessToken has expired. But keep in mind the refreshToken is one time use - so if it’s already used you cannot use it again. Once you refresh using the refreshToken, you will get a new token pair (access & refresh tokens). So I would check if the refreshToken is already used or if the format is incorrect - remember it’s supposed to be “x-www-form-urlencoded”.

(3) Refresh Token has no expiry - it only has one time use constraint. So as long as it’s not used yet you can use it even after your current token has expired. But we do recommend to refresh your accessToken to avoid a failure during a critical API call that would force you to do a refresh token.

Here is a sample from our python-samples repository for refresh token: https://github.com/poynt/python-sample/blob/master/src/PoyntAPI.py#L571