I would really like an answer to this last question.
If the idea is that our API server gets a refresh + access token, then passes the access token to the (user side) app client, which they then use as a bearer token to access resources on the API server (at least, I think this is what is implied by the rather not-too-great docs), then you want to be able to either verify the access token on every request to your API server, which includes checking its validity. If it's nearing expiry, you should use the refresh token to request a new access token.
If you have access token validity at 1h, and throttling on token endpoint calls at 1 per day, that's a big fail.
Anyhow, I'd really like to know apple's preferred way of doing this, without us either (1) rolling our own token issuing on our servers; or (2) relying on a service such as Cognito in the middle to handle token issuing.
dbtl88
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution
From
London
Post
Replies
Boosts
Views
Activity
Same problem here. This is completely ridiculous and makes it impossible to develop watch apps on Xcode 14.