OAuth 2.0 FAQs
What is the redirect URI?
Redirect URI is the callback URL of your application to which the user will be redirected upon successful authorization. The server returns a code parameter as a query string in the redirect URL. This code is used to obtain access and refresh tokens.
What is the validity period for client credentials? How to regenerate if expired?
The credentials Client ID and Client Secret are permanent. If it expires or the user fails to make a note, they can recreate it using Register your application in OAuth 2.0 authentication procedure.
What is the HTTP method (GET, POST, PUT) to generate access_token and refresh_token?
The URL to generate tokens (access and refresh) should not be entered directly in the browser since it is not a GET request but POST. It should either be managed via code or using tools like Postman.
Where can I find the scope of an API?
Scope for each API is mentioned in their respective modules. The scope is mandatory to access an API.
How many refresh tokens can be generated?
A user can have a maximum of twenty refresh tokens. An error (Access Denied) is displayed when you exceed this limit. It is a best practice to revoke the old token before generating a new one.
How many times can a refresh token be used to regenerate access tokens?
Each refresh token can have a maximum of thirty active access tokens. When you cross this maximum number, the first access token will be deleted irrespective of whether it is active or not.
How often can I generate authorization code?
A user can generate four authorization codes per minute for a Client ID. After this, the access is temporarily blocked for the next ten minutes.
What are the general errors?
Invalid OAuth AccessToken
This occurs when access token expires. If the access_type is offline, both access and refresh token is generated whereas for online access type only access token is generated. In both the cases, the access token is valid only for an hour.
This occurs when the authorization code expires. The authorization code is valid only for 2 mins. However, you can recreate the code using User authorization request in OAuth 2.0 authentication procedure, if required.