Tokens

Learn how Sqala tokens works

Refresh Token

The refresh token is a long-lasting token that allows you to generate new access tokens
without having to use your main credentials (AppID and AppSecret) each time.

  • You receive a refresh token when you create your account on the Developer Portal
  • The refresh token does not expire, but can be revoked for security reasons
  • Use the refresh token to generate access tokens, which have a limited duration (1 hour).

Access Token

Access tokens expire after 1 hour (3600 seconds). You must renew the token before
it expires to maintain continuity of operations.

We recommend implementing a logic that:

  1. Store the token and its expiry time
  2. Check if the token is about to expire before each request
  3. Renew the token automatically when necessary

Example of javascript auto-renewal

    const tokenExpiresIn = (expirationTime - Date.now()) / 1000

    if (tokenExpiresIn < 300) {
      // renew token
      const newToken = await renewAccessToken()
      // update and store new token
      storeToken(newToken)
    }

Secure Token Storage

Access tokens must be stored securely:

  • Backend - store tokens in environment variables or secure systems of
    secret management
  • Mobile - use platform-specific secure storage (Keychain on iOS,
    EncryptedSharedPreferences on Android)
  • Never include tokens in versioned source code or logs.