redirect_uri for an autonomous backend app

[arrowstem]

Hello,

this is not an issue per se but rather a question about something I couldn't find in the docs. They describe in much detail how an app gets authenticated when the user logs in via a web page or mobile app, and then "user’s browser is redirected to a specified redirect_uri." This doesn't work for me though. I'm developing a fully autonomous back-end app that won't have a front-end and which must work without the user who would manually log in and without a browser or another UI object. I wasn't able to find docs that would describe how to proceed in such a situation. Here's where I am now: I created a client and obtained auth_url as described in the docs:

client = smartcar.AuthClient(client_ID, client_secret, client_secret, redirect_uri, scope)
auth_url = client.get_auth_url()

My redirect_uri points to an URL at my server at which my app is listening and will parse a request when received. What should I do now to ask smartcar to send that request to my redirect_uri? I tried r = requests.get(auth_url) but I've got <Response [400]> / Bad request. No request was sent to redirect_uri. Please advise.

Thank you,

Greg (dev ID 8f272ab7-e2ae-428b-83cc-bdfb6c44edce)

[gurpreetatwal]

Hi @arrowstem :wave:

Unfortunately there's no way for us to meet the requirement of "it must work without the user who would manually log in and without a browser or another UI object" as that would require your application to handle the user's credentials and then pass them to Smartcar. However, there are a couple of common patterns that you can make use of if it's possible to loosen that requirement.

1. If you have the user's email address you could send them an email that contains the auth_url and then they can authenticate with Smartcar at their convenience. Note: you'll probably want to make use of the state parameter so you can correlate the authorization_code you receive with the user that authenticated.
2. If you are the only intended user of the app (or there will only be a few users) you can just create the link once, authenticate with Smartcar and then just use the refresh token to retain your access.

Hopefully that's helpful! :)

Feel free to e-mail support@smartcar.com if you need further help and our lovely support team will help you out

[arrowstem]

Hi gurpreetatwal,

thank you for your answer, it makes perfect sense. I have a follow-up question: would it be possible to use the refresh token for an unlimited time? It looks like it has a 2-month expiration limit when it's issued originally. Will that validity interval reset to another 2 months once the refresh token is used before its expiration? My goal is to avoid asking the EV owners to go through the manual authentication process every 2 months.

[gurpreetatwal]

Will that validity interval reset to another 2 months once the refresh token is used before its expiration?

Yup! Every time your application uses a refresh token, that refresh token is consumed (i.e. it cannot be re-used) and a new one is issued that expires two months from that date. A common pattern here is to setup a cron job of sorts that refreshes the tokens on a periodic basis to keep the access valid

Given this we do recommend that all of our clients implement the disconnect endpoint and make it easily accessible so that a vehicle owner may revoke their authorization if they so choose.