I want to use FreeAgent to automatically create invoices for payments processed outside of FreeAgent. This will be done from a billing service in my server. How can I get an access token for my account that doesn’t expire and can be used for server-to-server communication?
I’m afraid the very nature of access tokens is that they expire, and a non-expiring token is not desirable as it introduces a security risk. All is not lost however, as when you receive an access token you will also get a refresh token which can be used in future to obtain further access tokens as they expire.
Your app will need to either refresh the access token periodically before it expires, or handle responses after the access token has already expired (using the refresh token to obtain a new access token and reattempting the original request).
Currently access tokens expire every 7 days however this is something we’re looking at reducing to further improve our users’ security, so we’d strongly recommend any integrations make provision for this from the outset.
Hope that helps,
Thanks for the prompt response Paul, the flow you describe works OK for an app that has a UI where a user OAuths against their account to then use the app. It doesn’t quite work for server-to-server integration as given your example it looks like we’ll have to manually OAuth against our Freeagent account then pass that refresh token onto our server so that it can operate, is that correct?
That’s correct. The refresh token should never expire though, so should just continue to work (unless the user revokes the permissions for your integration).
If you want to avoid building an authorisation workflow into your app, I’d suggest you authorise the integration using the Google OAuth playground and grab the required tokens from the UI there. These can then be used within your app to make the required API calls.
Let us know if you run into any other problems,
@Paul_Smith Google seem to have implemented a “two legged” OAuth2 flow for use cases like this, where people need back-end-only apps to access Google Drive etc.
If Freeagent does not support that, I’m wondering how to best replicate it. I’m thinking of creating a user with limited permissions inside our company Freeagent account. Then doing all that you suggest: going through the OAuth process for that user manually once, and using the refresh_token to keep our app running. Is there anything else I could/should do?
No, that sounds correct to us - using the refresh token to obtain new access tokens as required should keep your app running for the forseeable future (refresh tokens don’t expire).
As for which user account you associate your app with, so long as the user you create has the correct permission level to carry out whichever operations in the API you need then all should be well.
We don’t have any plans to implement the “two legged” auth workflow at this time, but we’ll certainly take it into account should we plan any architectural changes to the FreeAgent API Auth workflow.