Keeping oauth2 access_tokens refreshed



We’re using the Timeline API to store custom actions our users take in our app in their contact profile in Hubspot.

This app is truly internal only – so there will be only one install of it…connecting our app to our hubspot portal.

This also means that we never want the access_token to expire. I know you can utilize the refresh_token to get a new access_token, but what recommendations do you have for automating this process?

In particular:

  1. Should we update the access_token lazily (i.e., when our code detects the access_token has expired, initiate the refresh process?). Or should we do it as a scheduled task?

  2. We have multiple servers, and each of them would need access to the correct access_token at any moment in time. Since we have multiple servers, where do you recommend storing the access_token? An external key/value data store like redis? What about race conditions when you update the access_token and need it to be propagated out to our servers?

  3. Does the refresh_token ever expire?

  4. Is there some established best practice for non-user facing applications authenticated using oauth? Are we over-complicating this somehow?

Thanks in advance.

HubSpot timeline API in background with OAuth token

@dshorowitz I will try and answer your questions below in answer.

  1. Both of these solutions work. It is really up to you on how you want to implement this. Being proactive is usually better(using the scheduled task) But you could also wrap your calls in a try/catch block to handle a bad access token by refreshing it and calling it again.
  2. Could you use a MUTEX to protect the data?(Think of writing your code to be thread safe as in low level coding)
  3. No it does not.
  4. I don’t believe you are over complicating it and think you have two good practices laid out above.

Let me know if you have any other questions.