Bearer Token Management
Token Management Best Practices
1. Implement Automatic Token Refresh
Since tokens expire after 1 hour, implement automatic refresh logic:
// Example: Token refresh middleware
class TokenManager {
constructor(username, password, baseUrl) {
this.username = username;
this.password = password;
this.baseUrl = baseUrl;
this.token = null;
this.tokenExpiry = null;
}
async getToken() {
// Refresh if token expired or will expire in 5 minutes
if (!this.token || Date.now() > this.tokenExpiry - 300000) {
await this.refreshToken();
}
return this.token;
}
async refreshToken() {
const response = await axios.post(`${this.baseUrl}/auth/token`, {
username: this.username,
password: this.password,
});
this.token = response.data.data.token;
this.tokenExpiry = Date.now() + 3600000; // 1 hour
}
}
2. Secure Credential Storage
- ❌ Don't hardcode credentials in source code
- ❌ Don't commit credentials to version control
- ❌ Don't expose credentials in client-side code
- ✅ Use environment variables
- ✅ Use secrets management services (AWS Secrets Manager, Azure Key Vault, etc.)
- ✅ Rotate passwords periodically
3. Handle Token Expiration Gracefully
def make_api_request(url, auth):
try:
headers = auth.get_headers()
response = requests.get(url, headers=headers)
# If token expired, refresh and retry
if response.status_code == 401:
auth.token = None # Force token refresh
headers = auth.get_headers()
response = requests.get(url, headers=headers)
return response
except Exception as e:
# Handle errors appropriately
raise
4. Use Different Credentials Per Environment
- Separate credentials for sandbox and production
- Different credentials for different applications
- Makes it easier to revoke access if compromised
5. Monitor API Usage
- Regularly review API usage logs
- Set up alerts for failed authentication attempts
- Monitor for unusual activity patterns
Last updated: October 2025