Refresh Token! Assumptions/Questions


I’m trying to get my head around the token usage on Infusionsoft, are the following statements correct -

  1. You MUST request an access token via the Infusionsoft UI which then returns to a callback URL?
  2. In order to be able to programtically call the API you must use the refresh token in a 24 hr period to request an access token and another refresh token, and then keep repeating this cycle?

If these are true are there any plans in the works to make this more user friendly?

EDIT: I should have mentioned that I’ve read the API docs but it’s not clear hence this post.

Hi @Phil_Doh OAuth can be a little difficult to understand if you are not yet familiar but I will try to explain in a more concise way.

How the access token request works is, a client will request an access token from Infusionsoft. That request for a token is then accepted (if you have correct credentials) and returned to the requester (callback uri). You will then take that response and store the access and refresh tokens. The access token will be valid for 24 hours, and you will need to exchange the refresh token for a new access token when the original access token expires (preferably before it expires) you should then get a new access token and a new refresh token. This will need to repeat as long as you access the api through OAuth.

This flow may sacrifice some user-friendliness for protection, but depending on which programming language you are using, you should be able to find some frameworks that handle this exchange (OAuth2 flow).

Please feel free to let us know if you have any further questions or concerns about the OAuth2 flow.

1 Like

This might help some

1 Like

@John_Borelli we should just make your video mandatory watching during community registration :slight_smile:

1 Like

lol thanks @bradb, glad it’s helpful :wink:

Thanks for posting that video, it’s well put together.

Unfortunately it didn’t answer all my questions. It confirmed that it is a 24 hr expiration when it doesn’t actually need to be this short and yes, the onus is on the caller to have to cycle through refresh tokens.

Surely as developers and gauging the number of questions on this subject you can see this is a poor implementation, it’s more complex while not adding any security (people mistakenly think it does).

OAuth is deemed a poor option these days, do you guys have any plans to move away from it? It’s a real negative for Infusionsoft when evaluating marketing platforms.

1 Like

PCI compliance is the reason I’ve been told for the 24 hour expiration. OAuth is actually increasingly getting used more and more as a preferred more secure authentication method as SSO’s don’t provide autonomy of login and credentials so a 3 legged process creates that buffer. Infusionsoft is moving more and more into OAuth implementations not away from them. The api key method is officially deprecated and will eventually be no longer used. For more clarity, maybe an Infusionsoft employee has more details on that.