Tokens - Flow

Access token and refresh tokens are issued by a merchant, and so is per merchant. Therefore, if a single merchant (a publisher let us say) has multiple subscription providers (different newspapers), you can use the same token for all of them, but for a different merchant (another publisher) you would need another token. 

You need to use the access token when calling the API. And when the access token is expired, you use the refresh token to get a new set of tokens. 


The IT integrator can exchange their refresh token for a new pair of access token and refresh token.

  1. Get the access token and refresh_token by redirecting the merchant to login URI and handling the response.
  2. IT-integrator stores the  access token somewhere, along with its validity (cache, in-memory dictionary or something else) and use it until it is valid. You can save the  access token  persistent. It depends on the implementation. 
  3. IT-integrator stores the refresh_token somewhere, where it would be persistent and secure.
    1. Note: that if a merchant revokes the consent, then there is a delay of 5 minutes where the integrator still can use the  access token until it expires.  refresh_token will not be able to be used, and this means that the integrator will not be able to obtain a new access_token 
  4. Once the  access_token expires, you use your stored  refresh_token  to get a new  access token  and  refresh_token  and repeat #3 and #4. It will contain  access_token ,  refresh_token and ExpiresIn property.
  5. If refresh token is no longer valid (that is, if you fail to refresh your tokens by using it before it expires) – you need to go back to step #1

If you’re using the same .NET library that’s used in our sample solution for interacting with OpenID Connect flow, then you can use OidcClient.RefreshTokenAsync() method to make the exchange. Also, the LoginResult class, coming back from OidcClient.ProcessResponseAsync() has a property called AccessTokenExpiration, which tells you how long the access token is valid, so that the IT-integrator can know, when it’s time to refresh the access token, without making a call to MobilePay service and receiving 401.