Should availability API use an access token or client secret?

[mponizil]

We experienced some unexpected behavior recently when using the undocumented client.availability(...) endpoint.

Based on the source code, it appears that bearer_token: "<client-secret>" may be used to achieve application authentication. Unfortunately this can be problematic because requests will use config.access_token instead if it's been defined. We don't initialize the client with an access_token, but ultimately we realized that the refreshAccessToken method will populate config.access_token on its own.

So the result is that availability(...) works the first time, but if refreshAccessToken is used, a subsequent call to availability(...) may use an expired access token (or potentially one for a user that's not even involved in the availability request).

This seems potentially OK since there's no documentation around passing in bearer_token, but I did want to clarify if there's a best practice here or anything I might be missing.

1. Do we need to refresh access tokens for all users included in an availability request? (we haven't observed this to be necessary)
2. Our solution is to pass access_token: "<client-secret>" to the availability(...) request. Does this sound like the right approach, or would it be better to use an access_token of one the users included in the request?

Thank you!

[AdamWhittingham]

Hi @mponizil.

Sorry you're having some problems! Would you mind contacting us at support@cronofy.com please?

We could do with a few more details to help us find logs and build some accurate replication steps, so that will be best done through our support rather than here.

Speak to you there!