You need to use the access token when calling the API. And when the access token is expired, you use the refresh token to get a new set of tokens.
The IT integrator can exchange their refresh token for a new pair of access token and refresh token.
- Get the
refresh_tokenby redirecting the merchant to login URI and handling the response
- IT-integrator stores the
access tokensomewhere, along with its validity (cache, in-memory dictionary or something else) and use it until it is valid. You can save the
access tokenpersistent. It depends on the implementation
- IT-integrator store the
refresh_tokensomewhere, where it would be persistent and secure.
- Note: that if a merchant revokes the consent, then there is a delay of 5 minutes where the integrator still can use the
access tokenuntil it expires.
refresh_tokenwill not be able to be used, and this means that the integrator will not be able to obtain a new
- Once the
access_tokenexpires, you use your stored
refresh_tokento get new
access tokenand new
refresh_tokenand repeat #3 and #4. It will contain
refresh_tokenand ExpiresIn property.
- If refresh token is no longer valid (that is, if you fail to refresh your tokens using it before it expires) – you need to go back to step #1
If you’re using the same .NET library that’s used in our sample solution for interacting with OpenID Connect flow, then you can use
OidcClient.RefreshTokenAsync() method to make the exchange. Also, the
LoginResult class, coming back from
OidcClient.ProcessResponseAsync() has a property called
AccessTokenExpiration, which tells you how long the access token is valid, so that the IT-integrator can know, when it’s time to refresh the access token, without making a call to MobilePay service and receiving 401.