Access_token lifetime

Please fill out the following sections to the best of your ability, it will help us investigate bugs if we have this information at the outset. Screenshots are especially helpful, so please provide those if you can.

Platform (Android, iOS, Website): Python desktop to web services

App version number, if a mobile app issue (shown under Settings): base url: /v1 , api version: 1.3.0

Browser, if a website issue (Firefox, Chrome, etc) : python client

URLs (aka web addresses) of any relevant observations or pages: https://www.inaturalist.org/oauth/token

Screenshots of what you are seeing (instructions for taking a screenshot on computers and mobile devices: https://www.take-a-screenshot.org/):

{
“access_token”: “0072…786ea0b06b”,
“token_type”: “Bearer”,
“scope”: “write login”,
“created_at”: 1592421151
}

Description of problem (please provide a set of steps we can use to replicate the issue, and make as many as you need.):

I am successfully trading an authorization code for an access token. I note that I get a created_at rather than the expires_in (as described in https://www.inaturalist.org/pages/api+reference#auth).

I assume the created_at is gm epoch seconds. I’d like to have the user go through another grant process a little before the token expires. What is the access token life time (in the units of your choice)?

Thanks!

Steps (just in case):

1. client needs new access token to make secured API calls
2. client sends user agent (browser) to oauth/ with authorization request
3. authorization service refers authorization response to user agent (assumes user authN success and authZ grant)
4. client triggered by custom protocol scheme in the response
5. client posts json authorization code from response to oauth/token/
6. client gets json response (which includes the bearer token)
7. programmer scratches head at created_at

why is this classified as a bug? i don’t see anything that looks like a bug in here.

https://github.com/search?q=org%3Ainaturalist+authorization_code&type=Code

since the old API is considered deprecated (https://www.inaturalist.org/pages/api+recommended+practices), i’m not sure why you would need to bother to reauthorize the access token. i think in most cases you would just use it once right away to get a JWT for use against the v1 API. the JWT doesn’t expire for 24 hours. so that should be long enough for most use cases, right? if it expires, just go through the authorization process again.

Thanks. I’ll go back through this again. Likely I am getting confused by the example code in the authentication reference from the api. I might be getting confused by the example code: o obtain one, make an OAuth-authenticated request to https://www.inaturalist.org/users/api_token. I may have taken the wrong endpoint for the token from the code at the first link.

Thanks for the pointer!

Also, where is a more appropriate location for these technical questions? I am creating a bug report tagged as a question. It does seem the wrong place.

if you just want to ask a question, i would classify it as a General question rather than a Bug Report.

the flow is that you get an access token, use that to get a JWT, then use the JWT to hit the v1 API. (if you’re trying to to something with the v1 API that doesn’t require authentication, then just make the request without authentication, since requests that don’t involve authentication will suck up fewer resources.)

Thanks you.