REST API Without manual authorization

I was about to implement a simple integration between our web app and Keap in order to simply create a contact or apply a tag.
All I could find about authorization is that Keap requires the token to be refreshed every 24 hours (or slightly less than that) using a cron job.

Is this still the state of the art and how you think we are supposed to handle authorization?
Am I missing something?

Sorry but I’m in disbelief that using a cron job is how this was designed and considered a reliable.

Do you think the XML-RPC would be an alternative?
This whole thing makes me want switch to another service since we are just starting using Keap.

Thanks in advance

I believe you are misunderstanding the Refresh Token grant; once you obtain authorization you get both a Refresh Token and an Access Token back. The Access Token expires 24 hours after issue, but the Refresh Token expires after 45 days. You make calls with the Access Token until it expires, then use the Refresh Token to obtain a new Refresh Token and Access Token, update your stored versions to the new ones and keep going.

So long as you use the Refresh Token within 45 days consistently you do not need a cron. Many people use one that calls and stores the Refresh Token every 30 days or so just as a safeguard in case a service goes unused for a while to prevent the token from aging out, but that’s generally just a precaution.

The OAuth2 Authorization method and Refresh Token grant is an industry standard for rotating-key security.

We provide additional documentation here regarding implementation:

Thanks for the quick answer Tom.
I understand the process. I have 15 years of experience in the security industry.

The point is this application is single client (server to server) so it forcing the token refresh is unnecessary although by standard.
A MITM obtaining the token is successful regardless of the app refreshing it every 24 hours.
And if the server is compromised, well, refreshing doesn’t give any protection either.

The refresh only makes sense if it’s another client authorizing the access to their own data for a limited period of time which is what OAuth tries to accomplish here.

I don’t want to sound harsh or anything. It’s just that nowadays the time required to integrate your app with a 3rd party service like CRM/Marketing platform is a big factor in the 3rd party service selection process.
I am falling back to your obsolete but easier to implement XMLRPC.

I know you are doing your best. Please feel free to pass this feedback to your technical lead.