Securing Your Client Application's Credentials

The client credentials grant type assumes your application has a secure place outside of the user agent (e.g., the browser or a mobile application) to store the client credentials (client id and secret) and access token. Typically, this means your application must run at least partly within a secure server where the credentials can be maintained in a secret store and used server-side only. The application's client credentials must not be exposed to your end users.

Some Recommendations:

Spring/Java Rest Template
Okta's OAuth2RestTemplate
Intended for Azure, but the MSFT authentication library could be used for C# apps
Example using some common python libraries, thought it doesn't do automatic caching it does have hooks for doing automatic refresh: OAuth 2 Workflow — Requests-OAuthlib 1.3.1 documentation

Access Token Expiration

Access tokens expire in approximately 12 hours. You should cache your access token securely within your client application or system and reuse it until it expires, at which point project44 will respond with HTTP status code 401 Unauthorized, signaling your application must generate a new access token using its client credentials.
It is recommended not to keep track of the expiration time in your client application and instead simply make requests until a 401 Unauthorized is returned. The amount of time until a token expires is subject to change by project44 in the future.

Access Token Generation Rate Limiting

project44 maintains rate limiting on the OAuth 2.0 token generation endpoint API (/api/v4/oauth2/token). No more than 5 tokens may be generated within a minute, with some lenience for small bursts over that amount.
Frequent token generation is unnecessary and highly discouraged. Please reuse tokens as much as possible for improved security and performance.

Generating Multiple Access Tokens

Generating a new access token does not invalidate any former access tokens for the same application. Thus, an application may have multiple valid access tokens at a time, but again, this is to be fully avoided if possible, for improved security and performance.

Delete a Client Application

To delete a client application, use the Delete client app option from either:

The ⋮ (more) menu next to the client app on the Client Applications list page (NA / EU), or
The Actions dropdown on the client application's details page.

Generate a new Client secret

If you have lost your client secret and therefore cannot generate a new token, or you would like to rotate your secret:

Go to the Client Applications page for your region:
- North America: https://movement.project44.com/client-applications
- Europe: https://movement.eu.project44.com/client-applications
Select Generate new secret from either the ⋮ (more) menu next to the client app on the list page, or the Actions dropdown on the details page.
Copy the new secret from the New client application Secret dialog and store it somewhere safe.

The new secret cannot be retrieved after closing the dialog. Token requests will not succeed until you update your stored credentials to use the new secret.

FAQs

Currently, only up to 50 client applications may be registered at a time within your project44 account.
Tokens last for 12 hours. Please store them!
You can generate 5 tokens per 1 minute, with occasional bursts allowed.