Best practices

These are the best practices for managing the OAuth 2.0 token:

Obtain an access token when you access the API for first time or when the existing access token expires.
When the access token is issued, its “expires_in” time is provided as well. Use this as a guideline for keeping the access token.
For example, if the access token expires in 2 hours, continue to use it for 1h55m. Then, obtain a new token when the current token expires or is revoked.
Obtaining an access token for each API call is an anti-pattern and must be avoided.
If you receive a refresh token along with an access token, use the refresh token to refresh the access token when the access token expires.
For a clustered application, there should be a common OAuth2 token management layer that obtains and securely stores the tokens.