Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > Partner Program >

Best/fastest way to renew a access token

Started by Creative Family -   in Partner Program

Whats the best way to check if an access token is expired?

Can you make it so that the session never expires until the either disconnect from Xero or from the client App.

I want to check if it's expired before going ahead and attempting to try a GEt, POST or PUT.

Any ideas would be great :)
Hi Myles

For a partner app, the session won't expire if the connection continues to be used (at least once every 90 days), but each access token will only last 30 minutes.

To my mind, you have two options here:
1. Handle an expired token
You will get an OAuth reponse when a token has expired, like this one. If you encounter that, you can then kick into a function that renews the Access Token.

2. Renew
We don't mind when you renew an access token, and it doesn't need to be expired yet to do so. If the workflow of your integration was such that you were doing hourly or nightly data syncs, it might be more efficient to assume the current access token has expired and renew it at the start of your communication with the API. You would probably still need to be able to handle encountering an expired access token error though, in the unlikely event you were spending more than 30 mins sending data to or from the API.

If you keep track of when you received the current access token on your side, you will know how long more it is valid for, but handling this seems like a bit of overkill to me, though there may be a few scenarios where it makes sense.

Hope that helps


Ronan Quirke (Community Manager)  

Thanks for that, I took your advice and made some minor changes to our code.

I am handling for expired tokens but I was having issues when a user would attempt an api call it would fail... as the token was expired obviously...

What I've built today is a small timer which runs before an api call is made.
It's just checking the last time the user connected has not passed as I'm storing the time of connection.
If the time of connection is greater than 30 minutes ago then run the renewal function and reset the time...

What do you think?

Does seem like a bit of overkill but i think this should stop any problems between the two apps.

Creative Family  

The key to this is the expires_in value. When we get a new access token we store an expiry date against the connection. When we want to use the API we do a lookup to see if the expiry date has passed, if so, we request another access token, restore and then continue. If it fails, we ditch the connection. Just for paranoia we minus 10 seconds off the expires_in before creating a timestamp.

Dave Quested