[#1034] Tokens for API requests

Migrated from Redmine #1034 | Author: Tomas Chiller
Status: New | Priority: Normal | Created: 2023-03-23

Hi SimplyBook,

I’m integrating SimplyBook in an external service and have faced several issues.

For integration I use the Webhook option that works very well. After receiving a booking id and notification type I want to get detailed information about the booking using the ‘Get booking details’ method (REST). This method requires an auth token

I understand I can’t use the basic auth request as I occasionally receive the “Too many attempts …” error (code 403). From previous discussions it’s clear I need to call the ‘Renew token’ method using the refresh token from the auth request. But the returned token is valid a certain amount of time and I need to renew it again.

It looks like I need to store the latest refresh token either from the auth method or renew method and before the ‘Get booking details’ method renew the token using the stored refresh token. Is it correct?

Is there any best practices how to organise this flow? Should I call the ‘Renew token’ method before every request to get booking details? Or should I check the token’s released time and only if it’s expired I need to renew it?

Redmine Admin wrote:

Yes, you are correct in that you need to use the refresh token to obtain a new access token for each API request, and it’s a good practice to store the latest refresh token so that you can use it to renew the access token as needed.

Token lifetime is 30 minutes, no need to renew it before each API request.

In terms of best practices, it’s recommended to use a secure method of storing the refresh token, such as a secure key-value store or encrypted database, and to use HTTPS for all API requests to ensure that the tokens and data are transmitted securely. Additionally, it’s a good practice to handle any errors that may occur during the token renewal process, such as expired or invalid refresh tokens.

Tomas Chiller wrote:

Thanks for the explanation.