API Validating Auth Token Expiration

[FASTDEVICE]

Is there an API the validates if an auth token is expired and if not, what is the recommended way to validate a token before requesting a new one?

[Rick Guyton]

You are wanting to validate that a past token was at one time valid? I'm assuming so that you can request a new one using your API key, but only if the token was once valid?

[FASTDEVICE]

I want to test to see if the token is still valid and if not, request a new one. At the moment my routine requests a new token every 30 minutes. It appears that depending on the operation, the lifetime of a token varies.

[Rick Guyton]

Couldn't you just make any old API req with the token and see if you get "status":"success"? Just as an example, do a GET request on /v1/accounts/{account_id}

[FASTDEVICE]

I'm trying to avoid a query that returns a large amount of JSON. I'm thinking to do an incomplete .../channels, which returns a null data value and status of "success." 

[FASTDEVICE]

ahh, but if you have many channels open, even that returns a large amount of JSON.

[Rick Guyton]

Hrm, I donno about channels. They seem to be a bit touchy about the use of that API. May I ask why you are trying to catch that on the front end? Why not just grab a new token when you see it fail?

[Rick Guyton]

Maybe do a GET on v1/accounts/{account_id}/webhooks if absolutely needed? If it returns anything, it should be pretty small.

[FASTDEVICE]

old school developer background. I like to validate a value is not null before using it. That way I don't have to fail, set value, and retry.

[Rick Guyton]

I'm almost never accused of doing something the "new fangled" way. I need to take this in for a minute...
....
......
Wait For It
..........
.............
Awww yea, that's nice. ;)

Gun to my head, I'd use v1/accounts/{account_id}/webhooks. First, if you are relying upon webhooks for other parts of your app, you can double check it and make sure they are still there whit this data. So, at least it wouldn't be a totally wasteful request. Second, I don't think very many people even use this feature. So, most accounts will probably be empty. Those that do use the webhooks should only have a couple. So, in any scenario it should be a pretty small request.

I'd still assume the token's good for some length of time. At least a minute or two. Can't imagine checking it before every single API call.

The best docs I've found are here: https://github.com/2600hz/kazoo/tree/master/applications/crossbar/doc
Maybe you can find something that works better for you. I don't see any functions that simply validate a token or return static data though.

[Guest CBV David]

You can validate if the auth_token is not expired:

Fetch Token auth information

GET /v2/accounts/{ACCOUNT_ID}/user_auth/{AUTH_TOKEN}

Doesn't appear that any sort of time to expire information is included in the response.

Presumably you've already found this from Rick's link above, but just in case you hadn't: https://github.com/2600hz/kazoo/blob/master/applications/crossbar/doc/user_authentication.md

I believe that on the hosted cluster tokens are currently set to expire after an hour, but you'd probably want to confirm that to be certain.

[FASTDEVICE]

I have some test code written about a week ago whereby I hard coded an auth token. The token currently fails the user_auth validation (as expected with a week old hash), but still allows me to use quickcall. I wonder if that's a bug?