Learn how Sqala tokens works
Refresh Token
The refresh token is a long-lasting token that allows you to generate new access tokens
without having to use your main credentials (AppID and AppSecret) each time.
- You receive a refresh token when you create your account on the Developer Portal
- The refresh token does not expire, but can be revoked for security reasons
- Use the refresh token to generate access tokens, which have a limited duration (1 hour).
Access Token
Access tokens expire after 1 hour (3600 seconds). You must renew the token before
it expires to maintain continuity of operations.
We recommend implementing a logic that:
- Store the token and its expiry time
- Check if the token is about to expire before each request
- Renew the token automatically when necessary
Example of javascript auto-renewal
const tokenExpiresIn = (expirationTime - Date.now()) / 1000
if (tokenExpiresIn < 300) {
// renew token
const newToken = await renewAccessToken()
// update and store new token
storeToken(newToken)
}
Secure Token Storage
Access tokens must be stored securely:
- Backend - store tokens in environment variables or secure systems of
secret management - Mobile - use platform-specific secure storage (Keychain on iOS,
EncryptedSharedPreferences on Android) - Never include tokens in versioned source code or logs.