This is my first time having to try and create a custom API to work with the Oauth process and I am having some issues with it.
I am trying to create a way for my business to pull our guest data staying in our hotel via Rest API for that software and then putting that into our Keap account. There is never any time someone will manually login to authenticate them selves so I’m not sure how to get these tokens. There is no end user so it doesn’t make sense to try and make someone log in therefore I have no way of getting the token back and stored. Basically I want this code to run in the background that no one sees and it will pull our guest data from our PMS(property management system) and then upload/update contact information in our keap account to get them put onto email campaigns and things like that.
I might just be misunderstanding how to go about this but if anyone has any help that would be great.
I am trying to write this using the php code provided on GitHub. I already have working php Rest API code for my PMS so the only part I need is to figure out how to get through the authorization process on keap and then update contact information after that.
The Authorization Code grant is a standard-specified process to authorizing a Refresh Token; if you only will ever have one system connected to Keap you can walk the process by hand (I use Postman personally, but others prefer good ol’ curl) to get your Refresh Token. At that point you would store that Refresh Token on your remote system and exchange it for a new one on a regular basis (<45d), each time generating an Access Token that is good for 24 hours to make calls against the API.
That was a really great and helpful video, but there is something that I want to address that could be helpful to you and anyone else that sees this thread.
Refresh tokens do not expire when the authentication token expires. So you don’t need to refresh your tokens every 24 hours on a schedule, what can be done is add a custom error handler function that would refresh the token if it had expired, when I set this up on my application, I notice that when the token has expired in the header of the error message, in the “www-authenticate” key, it will have a string that finish with ‘Acces Token expired"’, so that error could be used to trigger a renew token function.
Oh, That is really good to know, I didn’t read that on the documentation. So I guess just to make sure it would be good to schedule a token refresh every month.
The recommendation was given for the average use case. Most using oauth and developing a client facing service are concerned about people having to re-auth and while you can certainly do what you described, it’s no less assurety for someone to refresh on a schedule and does not put any strain on the server. No one is saying the refresh token expires when the access token does. The refresh cycle is just a recommendation to beat the expiration of the access token “to the punch” so to speak. In the end, it’s just a recommendation to the majority case/concern not a requirement.
