Token Creation & Token Management
Last updated
Last updated
In this step as per OAuth protocol, the code received by the client in the authorization step will be exchanged to get the access_token which is used for accessing the Xoxoday storefront granted based on the scopes allowed by the user.
The client server (As this request involves sensitive information i.e, client_secret) must make the following POST request to get the access_token.
ParametersUpon Expiry the access token can be regenrated using the response token using the following request:
ParametersNote In the above response refresh_token is newly generated again. So the client-server must replace the old refresh token with this new refresh token.
While the expiry is 30 days for the access_token and 60 days for the refresh_token, Xoxoday recommends polling the Access Token generation from Refresh Token API on every 4xx error to ensure no downtime in case of a token invalidation before the 30-day expiry.
For verifying at any point in the app if the token is valid/not, call below endpoint.
Parameters
Description
token_type*
The token_type can be two values. They are company or user. If the request in the authorizationstep was for the company session creation then token_type value is the company or if the request in the step was for user session creation then token_type value is the user.
grant_type*
Although Oauth supports different grant_type values. The values supported by Xoxoday is authorization_code, refresh_token.
code*
Authorization codes expires in 5 mins after creation. This is the temporary code value which client has obtained after authorization.
client_id*
This is the client_id value that one receives upon registration inGetting Started step.
redirect_uri*
The URL must match what you have shared during the time of company registration.
client_secret*
This is the client_secret value that one receives upon registration in Getting Started step.
Parameters
Type
Description
access_token
Bearer
It can be used by client to access the API of xoxoday.
token_type
Bearer
It must be passed in the Authorization header.
expires_in
The duration (in seconds) for which access_token is valid. The default user session lasts for 15 days. The default company session lasts for 30 days.
refresh_token
Bearer
The value with which client can regenerate expired access_token. This refresh token for the user session lasts for 30 days and refresh token for company session lasts for 60 days.
Parameters
Description
grant_type*
Although Oauth supports different grant_type values. The values supported by Xoxoday is authorization_code, refresh_token.
client_id*
This is the client_id value that one receives upon registration inGetting Started step.
client_secret*
This is the client_secret value that one receives upon registration in Getting Started step.
refresh_token*
The value with which client can regenerate expired access_token. This refresh token for the user session lasts for 30 days and refresh token for company session lasts for 60 days.
Parameters
Type
Description
access_token
Bearer
It can be used by client to access the API of xoxoday.
token_type
Bearer
It must be passed in the Authorization header.
expires_in
The duration (in seconds) for which access_token is valid. The default user session lasts for 15 days. The default company session lasts for 30 days.
refresh_token
Bearer
The value with which client can regenerate expired access_token. This refresh token for the user session lasts for 30 days and refresh token for company session lasts for 60 days.
