Error response: Handling usage of Expired vs. Revoked access tokens

Seeing as how we need to handle refresh tokens now, I would like to be able to distinguish when an access token has expired vs. been revoked based on the API response after attempting to present the token.

I would expect to see a different 401 error response when attempting to use the access token but the API documentation doesn’t list any details relevant to this (that I can find.) And there’s no dev tool for generating already-expired access tokens that I’m aware of (which would be useful for testing/test-automation please, but that’s beside the point).

It’s relevant because if I have to treat the responses for expired vs. revoked as the same, then I will be always making an extra API request for a revoked access token, trying to refresh it first but then getting a refresh-request-error. If I could see “expired” for one of them then I could bypass the refresh attempt in the other.

I figured out the answer, it can be found here: Authentication | Twitch Developers under the heading “Refresh in Response to Server Rejection for Bad Authentication”. I’ll just quote:

On seeing a 401 error with a WWW-Authenticate header, an application should try to refresh the session if a refresh token is present. If the refresh fails, the application should re-prompt the end user with another authentication dialog via the standard OAuth 2 flow.

So, they should be treated as equivalent cases.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.