Refresh non-expired access tokens

Lauren White

Hello, I have a question about refreshing access tokens.

Scenario: Let's say you want to authorize your app to connect to Blackbaud's sky api one time and endlessly refresh the bearer token securely in the background to call the payments api checkout endpoint.
1) After making a request to the token endpoint with the code and the grant type set to ‘authorization code’, you store the refresh token returned. 2) Then, because you don't know whether or not your access token has expired, you want to go ahead and get a fresh bearer token by calling the token endpoint again with the grant type set to “refresh_token”, “perservere_fresh_token” set to true. Is this a valid approach?

Additionally, I've noticed that it ignores the preserve_refresh_token flag. Is this because the token hasn't expired yet?

Daniel Leonard

Hi Lauren,

When you set preserve_refresh_token to true the refresh token will only be valid for one year. Once that refresh token expires you would need to reauthorize the application.

If you want to have the solution work in perpetuity, you should not use preserve_refresh_token. Instead you would want to store the new refresh token each time you get a new access token.

You should be careful when your service runs on multiple instances that each instance is using its own refresh token or that they properly share the new refresh token value once a refresh token is exchanged. If the value is not isolated/shared properly one instance may invalidate the refresh token being used on another instance during an exchange.