Best practices
These are the best practices for
managing the OAuth 2.0 token:
- Obtain an access token when you access the API for first time or when the existing access token expires.
- When the access token is issued, its “expires_in” time is provided as well. Use this as a
guideline for keeping the access token.
For example, if the access token expires in 2 hours, continue to use it for 1h55m. Then, obtain a new token when the current token expires or is revoked.
- Obtaining an access token for each API call is an anti-pattern and must be avoided.
- If you receive a refresh token along with an access token, use the refresh token to refresh the access token when the access token expires.
- For a clustered application, there should be a common OAuth2 token management layer that obtains and securely stores the tokens.