Requesting data through the Data API can be available to everyone (public data) or only to authorised users (private data). For the second group, a valid access token is required. With the new refresh token flow for the Data API, users can extend their active sessions, instead of starting a new one.
Data API consumers with JWT, can now use a refresh token flow to extend the access token expiration, instead of having to login again every time a JWT is expired.
Refresh token
The login mutation has been updated to return a refreshToken:
mutation login{
login(
username: "<username>",
password: "<password>",
authProfileUuid: "<authProfileUuid>"
){
isValid
jwtToken
refreshToken
}
}
This token can be used in a new mutation refreshToken with the purpose of extending your login by returning a new access token jwtToken. Be aware, that for security reasons the refreshToken can only be used once, and the user will receive a new one after the mutation has been completed:
mutation refresh{
refreshToken(
token: "<refreshToken>"
){
isValid
jwtToken
refreshToken
refreshExpiresIn
}
}
Revoking a token
A refreshToken can be also revoked at any time, using the revokeRefreshToken mutation:
mutation revoke{
revokeRefreshToken(
token: "<refreshToken>"
){
removed
refreshId
}
}
โ Next article: Data API Access & Refresh token lifetimes