How to manage Management API Token?

Reading the documentation it’s not clear to me how to treat Management API Access Token and the logic to implement in our app.

The documentation says

  1. “A Management API token is valid for 24 hours. Create a new access token when the old one expires.”
  2. “You cannot renew or revoke a Management API token.”

First of all if I get 2 tokens in short time, the second doesn’t invalidate the first and it’s possible to use both (this thing confuses me a bit).

Then, I don’t understand if a token has to be user-specific, session-specific or global (for all the users for 24 hours). So it’s not clear to me where to store it and when check for expiration.

Thank you.

  1. Correct, the second token will not invalidate the first token.
  2. These tokens are very powerful, but the scope they are limited to is dependent on the application whose client id was used to get the token. If the application is marked as a single page application, the management api token can only be used for a single user. If it’s for a regular web app or M2M app, you can do everything with the token (dependent on the scopes you have granted).

Thank you for your kind answer.
it’s a regular web app (next.js)

So, do you suggest to store the token (where?) and check for expiration everytime I need it? (and of course get a new token if expired)

I ask you that because in the Python example at the bottom of this page of docs it seems that he asks for a new token everytime he needs to do operations, and he is not checking for an old token.


Hope someone can provide some new recommendations for this question.
I also got the same thing and don’t know what are the best practices for that.
s3 bucket? redis? own database?..