1

I am working on a project which I need to integrate an api. The API's website requires that every request to their API be authorized by an Authorization token. My problem is how to save the Authorization token safely and regenerate the token after expiration, so that the users of my website are able to use the Access token for their requests. The token expires in 2 hours Below is my request to obtain authorization token and the response.

 response = unirest.post("https://webapisite.com/merchant/access", headers={ "Accept": "application/json" }, params={ "apiKey": "my_api_key, "secret": "my_secret" });

I will receive below json response

 { "status": "success", "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MTQwLCJuYW1lIjoic2F2YW5hIHNtYXJ0c2F2ZSIsImFjY291bnROdW1iZXIiOiIiLCJiYW5rQ29kZSI6Ijk5OSIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDE2LTEyLTA4VDEwOjM4OjE5LjAwMFoiLCJ1cGRhdGVkQXQiOiIyMDE3LTA2LTE0VDEzOjAxOjQ5LjAwMFoiLCJkZWxldGVkQXQiOm51bGwsImlhdCI6MTQ5ODMzNTE2NSwiZXhwIjoxNDk4MzQyMzY1fQ.WojvkYOC2j6XTUfg_E4WQkxQChPUyCgYUCIKaW83YXA", // a valid merchant token "config":{} }
Improve this question
1
  • The standard approach here would be to save the token into the user's session or into the database in a table where it is linked to the user account along with the expiry date so it can be refreshed when needed Commented Jul 19, 2017 at 15:34

3 Answers 3

Reset to default
1

Perhaps the most commonly used standard for use cases like this is OAuth 2.0.

OAuth is a widely-recognized protocol on top of HTTP that is used to issue tokens to clients after successful authentication (see also: "What is the difference between authentication and authorization?" on ServerFault). It provides different "flows" to obtain the tokens by, the most suitable in your case would probably be the "Resource Owner Password Credentials Grant" flow. Clients can then use the tokens given to them to make the actual API request.

Storing the tokens is usually done in a database. In truly stateless applications, JSON Web Tokens can eliminate the need to store tokens on the server-side.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Its always better to save Token in DB and stored in session too. With every request you can get token from session and track session activity by DB stored session. Basically this kind of things part project flow, so according to project need and flow with aspect of security we can take decesion.

Improve this answer

Comments

0

You should save this token in DB. In one table, save the access token, auth token and expire date. You can save multiple records if you want, but if you have only one auth token, one record is enough.

Before every call to that API, you check in the DB if the available access token is still valid, if it's not, you must renew the access token through the auth token.

I couldn't understand which language are you using to this task. If javascript, you can make a post for your backend, asking for the latest valid token.

Hope that helps.

Improve this answer

1 Comment

Then you can use the magic method __call() in php and check at API if your token is still valid, if not just request a new one. After ending the process of renewing the token the called function will execute and now with a fresh new token.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.