Access Token Expiration

Hi,

Is there a way to force an access token to expire? I need to test my code
to refresh the token and would rather not wait a week :slight_smile:

Thanks
Ross

I’ve given that a go and have run into some slightly strange behaviour.
Using curl I am doing the following…

Retrieve company details using the current access token:

curl https://api.sandbox.freeagent.com/v2/company
-H “Authorization: Bearer <CURRENT_ACCESS_TOKEN>”
-H “Accept: application/json”
-H “Content-Type: application/json”
-X GET

I then refresh the access token:

curl https://api.sandbox.freeagent.com/v2/token_endpoint
-H “Authorization: Basic <BASE64_ENCODED_CLIENTID_SECRET>”
-d “grant_type=refresh_token&refresh_token=<REFRESH_TOKEN>”

This all works as expected and returns me a new access token. The strange
thing is I can now retrieve customer details using both the new access
token AND the old access token. Am I missing something? Or is the old token
not being expired?

Hi,

Ok, thanks for the response. I figured this would be the case, I just
needed to confirm it with you myself.
My alternative was indeed to create a separate service to synchronise the
data however this isn’t going to be cheap for our customer so I was hoping
to avoid it.

Thanks,

DashOn Thursday, 9 April 2015 15:13:54 UTC+1, James Bell wrote:

Hi Dashiell,

There is no way to get a longer lasting access token; our OAuth 2.0
implementation deliberately sets a 7 day expiration on the token as part of
our API security model. The refresh token has a longer expiry time, since
it also requires a client secret for regeneration, but as you know this
can’t be used to access the FreeAgent API directly.

Typically, the access token renewal is triggered from a server somewhere,
which is also running the code for the API calls. However it sounds like
you are unable to programatically do this in your setup. If that is the
case, then I’m afraid we can’t offer anything via the API for you.

I’m not familiar with Zoho Reports, but it looks like it has an API for
uploading data. It may be possible to have an independent program running
to fetch (and cache) the access token for the day, which is then used to
fetch information from the FreeAgent API and upload it to Zoho Reports.

I hope that helps,

James

–
James Bell

FreeAgent

Dashiell Bunyan <javascript:>
9 April 2015 13:59
Hi,

Thanks for the reply.

We aren’t authorising the integration from scratch. The problem is the
access token timeout.

If the token times out and we have to manually get a new one with the
refresh token then this integration is useless.
I can’t programatically retrieve a new access token in the system we are
working with but I need to retrieve data using the API on a schedule.
I don’t want to be manually getting a new access token each day to put
into the app.

If there is no way to create a permanent access token for the application
I am trying to integrate with then I will have to go with another solution.

Thanks,

Dash

You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to freeagent_ap...@googlegroups.com <javascript:>.
To post to this group, send email to freeag...@googlegroups.com
<javascript:>.
Visit this group at http://groups.google.com/group/freeagent_api.
For more options, visit https://groups.google.com/d/optout.
David Jones <javascript:>
8 April 2015 12:44
Hi Dashiell,

From your description of the problem, it sounds like you’re re-authorising
your integration from scratch every day, rather than making use of OAuth’s
token system.
When you authorise your integration against your client’s account, you’re
granted an authorisation token. This is then exchanged for an access
token AND a refresh token.

As you’ve noticed, the access token is only useful for 24 hours. You
can, however, use your refresh token to retrieve a new access token
at any time. This can be done without the need to re-authenticate your
application from scratch.

More information on how this works can be found in the OAuth section of
our documentation:
https://dev.freeagent.com/docs/oauth

I hope this helps!

Dave J

–
David Jones
Senior Support Engineer

FreeAgent

You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to freeagent_ap...@googlegroups.com <javascript:>.
To post to this group, send email to freeag...@googlegroups.com
<javascript:>.
Visit this group at http://groups.google.com/group/freeagent_api.
For more options, visit https://groups.google.com/d/optout.
Dashiell Bunyan <javascript:>
8 April 2015 12:03

Hi,

I am currently working with one of your customers to set up an integration
for their system.
We have run into some problems with the authentication as we are having to
constantly regenerate the API key on a daily basis to get the requests to
work.

Our issue is that we are using a software package that doesn’t allow us to
script the regeneration of the key.
Having to do this manually every day means that we may as well just be
doing a manual data import each day.

(To be more specific about the software we are using, it’s Zoho Reports)

Could you please advise on this issue as I am not sure if its even
possible to get around this with your API.

Thanks,

Dash

You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to freeagent_ap...@googlegroups.com <javascript:>.
To post to this group, send email to freeag...@googlegroups.com
<javascript:>.
Visit this group at http://groups.google.com/group/freeagent_api.
For more options, visit https://groups.google.com/d/optout.

Hi,

Thanks for the reply.

We aren’t authorising the integration from scratch. The problem is the
access token timeout.

If the token times out and we have to manually get a new one with the
refresh token then this integration is useless.
I can’t programatically retrieve a new access token in the system we are
working with but I need to retrieve data using the API on a schedule.
I don’t want to be manually getting a new access token each day to put into
the app.

If there is no way to create a permanent access token for the application I
am trying to integrate with then I will have to go with another solution.

Thanks,

Dash

Hi Dashiell,

From your description of the problem, it sounds like you’re re-authorising
your integration from scratch every day, rather than making use of OAuth’s
token system.
When you authorise your integration against your client’s account, you’re
granted an authorisation token. This is then exchanged for an access
token AND a refresh token.

As you’ve noticed, the access token is only useful for 24 hours. You can,
however, use your refresh token to retrieve a new access token at any
time. This can be done without the need to re-authenticate your application
from scratch.

More information on how this works can be found in the OAuth section of our
documentation:
https://dev.freeagent.com/docs/oauth

I hope this helps!

Dave JOn 8 April 2015 at 12:03, Dashiell Bunyan oliverdashiell@gmail.com wrote:

Hi,

I am currently working with one of your customers to set up an integration
for their system.
We have run into some problems with the authentication as we are having to
constantly regenerate the API key on a daily basis to get the requests to
work.

Our issue is that we are using a software package that doesn’t allow us to
script the regeneration of the key.
Having to do this manually every day means that we may as well just be
doing a manual data import each day.

(To be more specific about the software we are using, it’s Zoho Reports)

Could you please advise on this issue as I am not sure if its even
possible to get around this with your API.

Thanks,

Dash

–
You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to freeagent_api+unsubscribe@googlegroups.com.
To post to this group, send email to freeagent_api@googlegroups.com.
Visit this group at http://groups.google.com/group/freeagent_api.
For more options, visit https://groups.google.com/d/optout.

David Jones
Senior Support Engineer

FreeAgent

Ah, of course! Thanks for the help :slight_smile:

Hi Dashiell,

There is no way to get a longer lasting access token; our OAuth 2.0
implementation deliberately sets a 7 day expiration on the token as part
of our API security model. The refresh token has a longer expiry time,
since it also requires a client secret for regeneration, but as you know
this can’t be used to access the FreeAgent API directly.

Typically, the access token renewal is triggered from a server
somewhere, which is also running the code for the API calls. However it
sounds like you are unable to programatically do this in your setup. If
that is the case, then I’m afraid we can’t offer anything via the API
for you.

I’m not familiar with Zoho Reports, but it looks like it has an API for
uploading data. It may be possible to have an independent program
running to fetch (and cache) the access token for the day, which is then
used to fetch information from the FreeAgent API and upload it to Zoho
Reports.

I hope that helps,

James

James Bell

FreeAgent

Hi,

I am currently working with one of your customers to set up an integration
for their system.
We have run into some problems with the authentication as we are having to
constantly regenerate the API key on a daily basis to get the requests to
work.

Our issue is that we are using a software package that doesn’t allow us to
script the regeneration of the key.
Having to do this manually every day means that we may as well just be
doing a manual data import each day.

(To be more specific about the software we are using, it’s Zoho Reports)

Could you please advise on this issue as I am not sure if its even possible
to get around this with your API.

Thanks,

Dash

Anyone?

Hi Ross,

If you refresh the access token with the refresh token, the original access
token will be expired. So to test out your code you could make a curl call
to refresh the access token which will invalidate the access token your app
is holding. You can then see how your app behaves. In any case all that
will happen is that your app will receive a 403 Forbidden when it tries to
use the expired access token.

Kind regards,

GraemeOn 9 May 2012 10:09, Ross Grayton rossgrayton@gmail.com wrote:

Hi,

Is there a way to force an access token to expire? I need to test my code
to refresh the token and would rather not wait a week :slight_smile:

Thanks
Ross

–
You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To view this discussion on the web visit
https://groups.google.com/d/msg/freeagent_api/-/Fow5Oei0HVIJ.
To post to this group, send email to freeagent_api@googlegroups.com.
To unsubscribe from this group, send email to
freeagent_api+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/freeagent_api?hl=en.

Graeme Boyd
Senior Software Engineer
FreeAgent Central Ltd
40 Torphichen Street, Edinburgh EH3 8JB
Registered in Scotland SC316774

Hi Ross,

I’m really sorry you’ve been waiting so long for a response on this.

It looks like you might have stumbled on a bug with how we’re handling the
refresh tokens.

The old access token will expire when it should, but it looks like we’re
not explicitly expiring the old token when you request a refresh.

I’ll pull this into our tracker for investigation and a fix, thanks for
bringing it to my attention.

Best wishes,

Ryan Stenhouse
Ruby Engineer

FreeAgent Central Ltd
40 Torphichen Street
Edinburgh, EH3 8JB

Registered in Scotland: SC316774