I have an API site that is set up to use M2M authentication with a web application that wants to call it.
(Both the API site and the web application are built using Flask / Python)
I’ve been looking around for best practices in how/when to check the m2m access token’s expiration date so that I can call the auth0 server to get a new M2M access token.
- Should I check the expiration date on the access token in my web application? I read this where it sounds like the author was planning to do the expiration date check in his web application before calling the API site: Correct way to handle M2M token renewal?
BUT, in this article, it sounds like it should not be done this way: Tokens
Under “Access Tokens”, it says:
Your application should not attempt to decode them or expect to receive tokens in a particular format.
In order for me to look at the expiration date of the access token I have to decode it (with JWT in my situation and the author of the post I listed above), so the article is saying this is NOT a good practice? Can someone confirm this? And if this really isn’t good practice, can you explain what the reasons are behind this?
So if #1 is not best practice, it sounds like my application has to first call the API site with the access token, where the token will be decoded and verified using JWT, and send back a 401 error to my application (if it’s expired, for instance), which at that point I need to catch, determine if the 401 error is because of the token being expired, and request another token, and try the API call again. Is this the best practice?
Third option is perhaps to just have the web application request a token every time an API call is needed, but that sounds like it could cause latency/cost problems, correct?
thanks in advance.