Please clarify for me a little bit the entire workflow with tokens.
To authorize customer we need to provide client link “GET /authorize” with all required parameters. This is the only way how to generate access/refresh token. It’s impossible to make an API call for authorized customer to retrieve again the “code”. Which is required for access/refresh token.
So we have this code and we don’t need to save it somewhere in session or database. We just use it for POST /oauth/token . In response we have two tokens. Access and Refresh tokens we need to save into customer’s session or into database for further usage.
And then I can make all required requests with access_token. When response has 4xx error I call POST /oauth/token (grant_type=refresh_token&refresh_token=asdfasdfdsf…), update in customer’s session access token and make on more attempt with this new token.
Is everything correct what I wrote here?