OAuth 2.0 Token Management
The diagram below shows the sequence of calls that happens back and forth between the authorization server, the mobile application, and ION API.
The authorization sequence begins when the application launches the sign-in process. The application loads an authorization page in the browser or within the application (based on your preference); the URL includes query parameters that indicate the type of access being requested. The result is an authorization code, which the application can exchange for an access token and a refresh token.
By default, access tokens have limited lifetimes (currently about two hours). If your application needs access to an ION API beyond the lifetime of a single access token, it can obtain a refresh token. A refresh token allows your application to obtain new access tokens. The application should store the refresh token for future use and use the access token to access an ION API. Once the access token expires, the application uses the refresh token to obtain a new one.