[QUESTION] Refresh token timeout

[Prometee]

Is there a timeout on the refresh_token ?

[cpetschnig]

No, in API versions v1, v2 and v3, refresh tokens never time out. If you use the new version 3.1 (currently in beta, find the docs here: https://developer.sage.com/api/accounting/), then refresh tokens expire after 31 days.

[Prometee]

If I store the refresh_token and access_token at 10h and then try to renew the token at 14h in the same day then I got a invalid_grant error both on Postman or on my own php API implementation (with 2 different couple of refresh_token/access_token).

[Prometee]

@cpetschnig I'm checking the new version and there is now a refresh_token_expires_in field. Thanks to spotlight the fact that there is a new API version ;)

[Prometee]

The API 3.1 has the same behaviour, Sage support team say : they use cookies so if I don't send the previous cookie the refresh_token is considered dead...

[cpetschnig]

Here's what works for me in v3 (but it would be the same in v3.1). The example is for Canada.

Authorise:

GET https://www.sageone.com/oauth2/auth/central?client_id=75bxxxxxxxxx&redirect_uri=http%3A%2F%2Flocalhost%3A8123%2Fauth%2Fcallback&response_type=code&scope=full_access&state=89a0

Which browser-redirects to my redirect_uri, when the user has accepted the auth request:

GET http://localhost:8123/auth/callback?code=460xxxxxxxxxxx&country=CA&state=89a0

Then I have 60 seconds to exchange the code for an access token:

POST https://oauth.na.sageone.com/token
Content-Type: application/x-www-form-urlencoded

client_id=75bxxxxxxxxx&client_secret=e36xxxxxxxxxxxx&code=460xxxxxxxxxxx&grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A8123%2Fauth%2Fcallback

The above should also work when you send a JSON body. Anyway, it gives me this JSON:

{
  "access_token": "6cexxxxxxxxxxxxxxx",
  "expires_in": 3600,
  "token_type": "Bearer",
  "refresh_token": "d14xxxxxxxxxxxxxx",
  "scopes": "full_access",
  "requested_by_id": "f5axxxxxxxxx",
  "resource_owner_id": "296xxxxxxxxxxxxxx"
}

Refresh token:

POST https://oauth.na.sageone.com/token
Content-Type: application/x-www-form-urlencoded

client_id=75bxxxxxxxxx&client_secret=e36xxxxxxxxxxxx&grant_type=refresh_token&refresh_token=d14xxxxxxxxxxxxxx

Which gives you in principle the same response as the previous call.

In v3, the refresh token does not expire. In v3.1, the refresh token is only valid for 31 days. Then the user has to authorise again.

[cpetschnig]

Cookies are not involved in the exchange/refresh calls. However, the auth page uses a cookie to determine which country the user has previously selected. You can use https://www.sageone.com/?clear to delete the country cookie.

When you are using different user accounts for development, maybe also developing for different countries, I suggest using the incognito mode of the browser.

[Prometee]

So there is a problem because if you simply use Postman :

• make oauth2 authentication
• select the access_token generated
• wait for maybe 3 or 4 hours
• make your first call

You will have an invalid_grant error. So there is something here I don't understand :$

[cpetschnig]

Each access token is valid for 60 minutes in v3, 5 minutes in v3.1. The interval starts when exchange/refresh the token. So after the 3 or 4 hours, do a refresh, then you can make the call.

I've produced the raw material for this video. It shows how to make a request with Postman. But I guess you are already past that.

[Prometee]

I was having a bug into my testing class, that's why I was getting an invalid_grant error... So there is no problem with refresh_token timeout.

To sum up the answer of this thread :

• API v3 : refresh_token will never expires
• API v3.1 : refresh_token expires in 31 days (keep alive mecanism has to be built)

I'm currently building a library and a symfony-bundle for Sageone API client v3.1 with HttPlug dependencies, and configurable token storage type. I'll put the code on GitHub when I write some tests and finish my current imports jobs, so ping me if you want advises or code sample (I will put the link here when it will be available).

[cpetschnig]

Good to hear that 😄 Yes, please keep us notified

[NucsuM]

If you have questions about the Sage Business Cloud Accounting API or want to report problems, then the accounting api section of sagecity.com is the perfect place.