We are changing the way OAuth tokens work at Unbounce. At the moment, we are using never-expiring opaque tokens that we issue once when an application developer requests them. In the near future, we will be using JWT (JSON Web Token) tokens that expire and need to be refreshed.
If you use our API and have configured the access OAuth tokens to have no expiration date or automatic refresh system, you will need to update your token generation system to use the latest OAuth libraries. You will likely need to consult with your development team to determine how your application currently handles Unbounce OAuth tokens and whether changes are required.
Why we’re making the changes
We chose the JWT-type token to improve our APIs’ authentication handling and prepare for additional authentication changes. Additionally, we are improving our security by having tokens that expire.
How the changes affect your application
You will receive an access token and a refresh token when you initially request OAuth access. The access token will expire every 10 minutes. To obtain a new access token, you will use the refresh token. Once you use a refresh token, Unbounce invalidates it and issues a new refresh token. Refresh tokens are one-time use only.
The access token size will increase, and the maximum size will be 8K. The refresh token might also be up to 8K. You’ll need to ensure that your application can handle the new token size.
Additionally, the error responses will now use the correct HTTP status codes. If you are currently relying on 401 status codes, they will now be 400 by default. For invalid_client and invalid_token errors specifically, we will send a 401 code.
We are also fixing the revocation response for invalid tokens and unauthorized requests to conform with RFC 7009. Specifically, it will not be possible to make a revocation request without client_id and client_secret.
In 1 month
Starting April 11, 2022, OAuth applications will start to receive JWT expiring access tokens. If you cannot support the new token requirements by April 11, please reach out to firstname.lastname@example.org.
Application’s previously issued never-expiring access tokens will continue to be valid for an additional five months.
Additionally, we will start to return scopes. This change will not impact existing access tokens or the API functionality at this time.
In 6 months Starting Sept 12, 2022, we will begin revoking all never-expiring tokens.