I find this statement is a bit vague. What calls are in risk of getting throttled? Only validating the refresh_token? what about validating an authorization_code? What about validating a refresh_token obtained by a newly issued identity_token?You may verify the refresh token up to once a day to confirm that the user’s Apple ID on that device is still in good standing with Apple’s servers. Apple’s servers may throttle your call if you attempt to verify a user’s Apple ID more than once a day.
I'm going through my login flow and realized that a user may sign out and re-sign in within the 24 hour span, thus risking the throttling. As far as I can see, I have two options:
I would ask the user to Sign In with Apple (interactively), obtain a new identity_token (which I would immediately validate), then I would validate the authorization_code to obtain a new refresh_token. Is this process, so far, exempt from 24h throttling? And if so, is validating this new refresh_token also exempt from 24h throttling since it's originating from a new identity_token? Or would the old refresh_token still even work for that user? (in which case I could do option #2:
I would ask the user to Sign In with Apple (interactively), obtain a new identity_token (which I would immediately validate), but skip the authorization_code validation. Instead, I would still trust the old refresh_token, and validate it every 24 hours as usual.