Introducing OAuth Refresh Tokens

We are excited to announce improvements to our OAuth implementation! To offer more security for our customers’ data and to eliminate the need for authentication every 90 days, we enabled new, short-lived Access Tokens and indefinite Refresh Tokens for our developers using OAuth.

  1. Authenticate Once, Refresh the Rest– The new indefinite Refresh Token can be used to request a new Access Token to maintain the sync between your app and a user’s Infusionsoft application. This process eliminates the need for a user to re-authenticate every 90 days.

  1. More Secure Customer Data– The new short-lived Access Token is only available for 1 hour which greatly limits the amount of time an unauthorized app can access a customer’s software.

Our developer community frequently asked for indefinite Access Tokens and we solved this request through a combination of new Access and Refresh tokens.

What does this mean for your app?

  • If you are using our legacy API (vendor keys and app generated API keys) this change will not affect you. However, migrating to OAuth will give you access to the new Access and Refresh tokens.
  • For developers using OAuth, you can use the new Access Tokens and Refresh Tokens. Any Access Tokens generated prior to September 15 will continue to work until September 29, at which point we will invalidate existing OAuth Access Tokens. This will cause your app users to re-authenticate hourly. To prevent hourly re-authentication, you will need to update your application to take advantage of the new Refresh Tokens.
  • If you’re using our PHP SDK, you simply need to update to the latest version and follow the directions in the README.

We appreciate the input from our developers and look forward to future releases based on your feedback. If you have questions or comments on this release, post on the Infusionsoft API Facebook group or within the Developer Forums.