You have your access tokens, and they've been working great, but all of a sudden your calls have stopped working. You are seeing some strange Oauth errors.
MYOB's access tokens only live for 20 minutes, so you are going to need to refresh them if you are going to work with the APIs.
The following scenarios are most likely when you will need to refresh:
- during development, no matter how good you are, you're going to need longer than 20 mins of work time with the API
- user interaction, sometimes a user will use an app that is reading/writing to the MYOB api for extended periods of time. A BI or forecasting app will frequently need longer than 20 mins of work time
- subsequent logins, no one likes to keep logging into an application. Access and refresh tokens are designed so that the user only does the connection once. So you'll need to use refresh tokens for future visits
- overnight run times, often apps do end of day journals, or fetch data to prepare reports or details for the next day. The user isn't even around, and you will need access
- user not around, building a silent app that just runs quietly in the background? Great, once the user does the connection and grants permission, they are no longer needed. Just use refresh tokens to get new access tokens
This article assumes you have already obtained access tokens and refresh tokens at least once. Read this article if you haven't yet.
There are really only two steps here
We're going to make a POST request to the MYOB server. Effectively what we are saying here is "Hey MYOB, I have already been given permission to this service. Here's a token to prove it, can I have fresh access tokens please?"
Now, to do that in code, we need to get the following items, and POST them in a body to the authentication service.
- this is your API Key
- this is your API Secret
- this is the type of grant you are requesting. For this step it must say refresh_token because you are passing the MYOB server an refresh token
- this is the refresh token you have already
Pop all that in the BODY and make sure you set a header with the content type of x-www-form-urlencoded so the body is formated correctly and POST it to:
Here's what it looks like in Postman
And with the response (trimmed for security)
Now we have a fresh access token and we can head off and make any calls we want.
Best practice tips
- Refresh the token before you need too, the extra time refreshing a token could be disruptive to a user so make sure you have it early
- Don't refresh on every call, this just adds extra burden and response times to your calls
- A good rule of thumb, is to refresh every 15 mins
invalid grant type
- If you find your refresh tokens are ever responding with the error invalid grant type, it means that the user has revoked access to your app. How you handle this is up to you.
- If it's a surprise to you & your user, then they simply need to go back through authentication again.
- If it's something the user has done, then you might want to have a conversation with them about why the stopped using your solution.