Maintain valid API bearer token w/o involving humans?

Looking to keep InfusionSoft data fresh with a nightly automated curation job. Pre-embarrasshed to ask this question, but I’ve done my fair share of Googling and it looks like I need to involve humans to keep API bearer tokens valid.

Volunteering for a non-profit where manpower comes at a great cost, is it possible to fetch an OAuth bearer token w/o involving humans?

Happy to write scheduled/cron jobs to keep it fresh. An example in any language, a Postman recipe, or even a curl example would be greatly appreciated.

Once you go through your authorization grant to get the original access token and refresh token, you can get a new access token by doing a refresh grant by sending us the existing refresh token. That will return you a new access token and refresh token. The old refresh token will no longer be valid since they are single use.

This is a problem that I have brought up as well I have to manually replace token every 24 hours or Keap API doesnt stay working. Its a major flaw that this has to be done manually by a human.

Access Tokens do have a 24hr expiration, but the refresh token is good for 45 days. Every time you refresh you will get a new access token good for 24hrs and a new refresh token good for 45 days. This allows basically infinite non-interactive token refreshes. All of this can be done without human interaction except for the very first authorization. This is all pretty standard OAuth 2.0 stuff.

I have been told this before but it doesnt seem to be the case. I use ListFlex it requires me to go in every 24 hrs and generate a new Keap token and replace the old token in the string or it simply will NOT WORK unless this is done. I really dont understand why Keap claims it doesnt have to be done and lasts 45 days but doesnt. Imagine manually doing this every day every 24 hours or your leads will STOP going into your account… in 2020.

That is a ListFlex issue not Keap. They must not be handling token refreshes properly. We have thousands of API clients refreshing tokens every day.

LF said: "Infusionsoft PHP SDK. They will need it to test the file: GitHub - infusionsoft/infusionsoft-php: PHP client library for the Infusionsoft API.
File is attached."infusionsoft.txt (2.8 KB) you will need to change the file extension from .txt to .php as it doesnt allow to upload php files here.

Please keep me updated, thank you.

I am not sure what you want us to keep you updated on. The API works, the SDK works, they need to store the tokens and manage the token’s lifecycle. If they (ListFlex) are having issues they should reach out to support via an API Ticket or have them post a question here. I am not a PHP developer but it looks like they they are not dealing with the refresh token at all. I see nowhere that they are saving it off into a database to manage it. It looks like they designed it to do exactly what you describe (Human authorization every time).

Works like a boss, Bradley, take the rest of the day off. My problem was a little skull-thickness and a disconnect with the concept of refreshing the access token AND the refresh token with the refresh call, I’m less dumber now – thank you.

Phil, there’s no problem with this API call or Keap’s OAuth implementation, I refreshed it half a dozen times which is 100% automatable - no need for you to do this manually. I’ve written more than my fair share of PHP and looked at your code, there’s nothing there handling or persisting/saving the required refresh_token. I’m persisting with AWS Secrets Manager, could be done just as easily w/ a db like Bradley referenced, heck you could do this w/ a flat file (strongly recommend encrypting).

curl example

I hope will help someone like me.

curl --location --request POST 'https://api.infusionsoft.com/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=xxx' \
--data-urlencode 'client_id=xxxx' \
--data-urlencode 'client_secret=xxxx'

PHP example for Phil

$client = new http\Client;
$request = new http\Client\Request;
$request->setRequestUrl('https://api.infusionsoft.com/token');
$request->setRequestMethod('POST');
$body = new http\Message\Body;
$body->append(new http\QueryString(array(
  'grant_type' => 'refresh_token',
  'refresh_token' => 'xxxx',
  'client_id' => 'xxxx',
  'client_secret' => 'xxxx')));$request->setBody($body);
$request->setOptions(array());
$request->setHeaders(array(
  'Content-Type' => 'application/x-www-form-urlencoded'
));
$client->enqueue($request)->send();
$response = $client->getResponse();
echo $response->getBody();

Phil’s Solution Proposal

Phil, decouple API authentication from your add contact method/function and never refresh that API access_token manually again.

1. Fire a cron/scheduled job every 24 hours.
2. Wire it to that☝️ PHP API call.
3. From the response, you’ll get a fresh + valid access_token and refresh_token, with a little more PHP, write those key/values to an encrypted flat file.
4. Whenever you fire your addContact() code, read + decrypt the access token from that encrypted flat file.