[Request] provide REST function for token refresh

Access token expire. Long running applications (e.g. ones, whose browser window/tab is not closed for a long time) may experience token expiration.

Right now, there seem to be two alternatives:

  • let the user log-in again (this might badly affect user experience)
  • auto-login the user again (this would require storing the user’s password internally, which is not the polite English way)

From other projects I know the alternative that a still valid token may be used to get a new one - s.th. like a “token refresh”. Token refresh usually become available after 60%-75% of the token lifetime and avoid having to store any customer credentials inside an application. A new login would then only be required if the token couldn’t be refreshed in time.

Additionally, applications normally do not have to refresh tokens themselves - that feature is usually “hidden” inside a client library and checked during every request made

Would it be possible to provide a token refresh in VoltCloud? As a consequence you could even reduce the lifetime of your tokens

Currently API tokens expire after 30 days of being issued. At that point you would require the user to reauthenticate before making further requests. If this is done via a modal, pop over dialog, it shouldn’t be too disruptive. You can even require the user to login prior to token expiration since you have access to the token details.

I have considered switching to a much shorter token expiration with refresh tokens. It could make certain API calls more efficient and is certainly more in line with common practices in 2021. I’ll open a feature request for this. Thanks for the suggestion!

I’m used to applications (with much higher security requirements) where tokens expire after a few minutes unless the user actively submits new requests (which then refresh the current token)

Perhaps, it might be an interesting idea to let the application developer specify token expiration time? He/she could then customize behaviour depending on actual requirements (the super-duper-online-banking-app could choose 5 minutes while most applications could stay with those 30 days)

I would definitely not suggest using our platform for anything with high security requirements (like banking). 30 days was chosen as a good compromise value for apps that have medium to low security requirements, but it’s not perfect for everyone. I do agree that being able to specify the token refresh on a per app basis would be a good feature, and I’ll open a feature request for that as well.

Well, don’t take my online-banking example too seriously, I just did not have any better idea in that moment.