Payment Sky API 401 Error: Token Expired

Tiehu Jiang
Tiehu Jiang
Sixth Anniversary Name Dropper Participant Facilitator 1
in Merchant Services APIs
Hi,


Yesterday we had an issue with BBMS transactions in our Spark website. About 10 transactions failed due to the refresh token expired. After I signed into BB and authorized the project to get a new refresh token (see Sky API Authorize screenshot), the issue was fixed.

We did have almost 2 months without a credit card donation. But according to the documentation (https://developer.blackbaud.com/skyapi/docs/authorization#token-expiration), refresh tokens will expire after 365 days. I wonder why our refresh token expired? The second screenshot shows the piece of code that caught the 401 error: Token Expired.


The initial access token and refresh token are saved in database. Each time we exchange our refresh token for a new access token, the old refresh token in the table is updated by the new refresh token. So it should never expire!


Thanks,

-Tiehu

 

Comments

  • Chris Rodgers
    Chris Rodgers Blackbaud Employee
    Ninth Anniversary Kudos 3 Name Dropper Participant
    Hi Tiehu,


    This is Chris from the SKY API team.


    You are correct about the lifespan of SKY API refresh tokens -- 365 days. I can actually see a few metrics for your app indicating a decent number of refresh tokens dating back to last year (you can private message me if you want more details about that). 


    I believe the code snippet you included in your post is from the actual Payments API request, correct? That 401 would indicate that the access token is not valid (likely expired). For refresh token exchanges to the SKY API OAuth 2 `/token` endpoint, an expired (or invalid) refresh token error would be indicated by a 400 (BadRequest) response with "invalid_grant" indicated in by the body. Read more about possible token exchange errors here


    Still, it's entirely possible that your refresh token became invalid due to some other exchange issue. I've written a few posts in the past about how you can make that exchange more resilient. In any case, I think the most important point is to have some logging around refresh token exchange failures and to account for unexpected responses from our OAuth service (a 400 or -the hopefully never, rare - 500 response).


    Feel free to reach out to me if you have more questions (or private message if there are specific about your app that you need to discuss).

Categories