What are we supposed to do with the access_token?

During a successful first time Apple Sign in, we get an `access_token` field back that has data in it (in addition to a refresh_token, and expires_at). I know that to validate a sign in we use the refresh_token, but I was wondering what to do with the access_token we get back? Do we need it for anything?
The apple documention on it says
(Reserved for future use) A token used to access allowed data. Currently, no data set has been defined for access.
So can we ignore it for now?

Up vote post of concept47 Down vote post of concept47
5k views
Posted by
concept47
Reply
Add a Comment

Accepted Reply

Hi concept47and angelatestapple


Currently, the access token only indicates a successful refresh token validation. There are currently no endpoints where it can be used and it is reserved for future use. So, it can be ignored for now.

Posted by
Apple Staff
Up vote reply of Apple Staff Down vote reply of Apple Staff
Post marked as solved
Add a Comment

Replies

Hi, have you ever tried to validate the refresh_token? I tried but always got the error of "unsupported_grant_type". Does it apply to you too?


The Post Body I have is:

client_id: "App ID" // same as authorization

client_secret: "App Token" // same as authorization

grant_type: "refresh_token"

code: "refresh_token received from authorization"

Posted by
angelatestapple
Up vote reply of angelatestapple Down vote reply of angelatestapple
Add a Comment

Try replacing code with refresh_token ... as per the documentation
The validation server returns a TokenResponse object on a successful validation. When using this endpoint for authorizing the user, use the following parameters: 

client_id
, 
client_secret
, 
grant_type
, 
code
, and 
redirect_uri
. When using this endpoint for validating the refresh token, use the following parameters: 
client_id
, 
client_secret
, 
grant_type
, and 
refresh_token
.
let me know if that works.
Posted by
concept47
Up vote reply of concept47 Down vote reply of concept47
Add a Comment

Thank you very much for your reply!


There was a typo in my last response and I did use key-value pair of refresh_token: "refresh_token received from authorization". Thank you for the catch! I finally found that the problem was I didn't use "x-www-form-urlencoded" as the body format. After I fixed that, the request to validate refresh token is successful.


I have the same question as yours. Access_token expires in 3600 seconds(1 hour) and it seems to be useless. Let's see whether there will be any Apple staff can answer this question...

Posted by
angelatestapple
Up vote reply of angelatestapple Down vote reply of angelatestapple
Add a Comment

Hi concept47and angelatestapple


Currently, the access token only indicates a successful refresh token validation. There are currently no endpoints where it can be used and it is reserved for future use. So, it can be ignored for now.

Posted by
Apple Staff
Up vote reply of Apple Staff Down vote reply of Apple Staff
Post marked as solved
Add a Comment

Thank you @sudhaker19 for the reply.


If access_token is useless now, may I know what the use for refresh_token is? If I understand the authorization flow correctly, after our server validates the auth code with Apple, the authorization for this one user is done. Why do we need to store the refresh_token as shown in the apple documentation "The refresh token used to regenerate new access tokens. Store this token securely on your server."? Is the refresh_token valid for each user, or each server?

Posted by
angelatestapple
Post not yet marked as solved Up vote reply of angelatestapple Down vote reply of angelatestapple
Add a Comment
I have the same question as AngelateStapple. If refresh_token can't be used to obtain access tokens that can be used as authentication tokens, what is the point of the refresh_token?

But more importantly, if not with a refresh token, what is the procedure for authenticating apple music api calls for a user after the initial short-lived access token has expired?
Posted by
tsmmark
Up vote reply of tsmmark Down vote reply of tsmmark
Add a Comment

Olá, como você conseguiu chegar a retornar o access-token? faz 15 dias que tento implementar o login com a apple em python, mas ele estagnei nesse erro: Error retrieving access token: b'{"error":"invalid_grant","error_description":"The code has expired or has been revoked."}'. Alguém sabe o que fazer?

Posted by
leo-cost
Up vote reply of leo-cost Down vote reply of leo-cost
Add a Comment

How to get access token on second time using authcode?

Posted by
imrahulvyas
Up vote reply of imrahulvyas Down vote reply of imrahulvyas
Add a Comment