auth models

[Davidcc]

Hello, I read the Authentication documentation, and I understand the user OAuth flow (built more than one before). But not sure what to do with my new app... it's an Alexa skill.
A user would use my skill, that would generate some time entries that i need to post to their Harvest back-end. But a skill is not browser-based and there is no possibility of doing a token flow at that point. I do have a web application backing the skill - a user will go there, authenticate to Harvest and pull a list of Project Task assignments. That makes sense. I can store their Harvest identifiers, and even their OAuth tokens.

But how can the Lambda functions backing the Alexa Skill make authenticated Harvest API request that are identified with the skill user's account?

Maybe I need to use the tokens as set from the web portal? And if they are expired, send them back to the portal to refresh? That could be unworkable depending on the lifetime of the Harvest tokens. If their lifetime is long, I can refresh them, and the user might not need to explicitly refresh unless they go a long period of inactivity.

Any help is much appreciated
Thanks!