Question about Access Token
Closed this issue · 4 comments
Hi Twilio team,
I've been playing with Voice Quickstart Twilio Object-C quite a while now. I'm pretty new to this so I'm trying to understand the lifecycle of the Access Token. I saw that fetchAccessToken get called in didUpdatePushCredentials and didInvalidatePushTokenForType. Can you explain how often these are called?
I saw an explanation in issue #49 stated that The main idea of using Access Token is to provide a "one-time" operation authentication, for registration requests or the signaling handshake when making outgoing calls. That being said, we still recommend that you generate access tokens with expiry equal or longer than 1 hour when making outgoing calls. If my app only receive incoming call without making outgoing calls, do I still need to refresh Access Token? What happen if token expire?
Thank you!
Hi @chuongle
This is a good question.
For you use case (incoming only), you only need valid access tokens whenever you want the SDK to perform (un)registration. As you have read in the other issue, as long as the access token is valid, once the operations (making call, registering) are finished you don't have to be worried when the token has expired.
Twilio has the policy for access token expiry which is up to 24 hours. Tokens that has expired or have expiry time other than 1 sec to 24 hours will fail the authentication.
In the Programmable Voice mobile SDK world, as long as you are registered to the service and the Apple VoIP service certificate is still valid, the app should be able to receive incoming call invites. Your registration bindings won't be affected by the access token expiry ;)
Hope this answers you question.
-bobie
Hi @bchen-twilio
Thank you for clearing this for me. Let me make sure I understand this. When app starts, didUpdatePushCredentials will be called and Twilio SDK will register with valid access token and device token. From that point the app will be able to receive incoming call invites even though the token expires. At this point SDK can still connect the call with the expired token. Does this logic apply to the Voice Quickstart Android as well?
Another dumb question is under which case where I need to unregister the access token? What exactly trigger didInvalidatePushTokenForType?
Thank you!
Hey @chuongle
Once you have successfully registered, the binding of that identity will exist under your Twilio account SID in the DB unless you explicitly unregister or the Apple VoIP service certificate has expired, which will take 4 (or 5?) years if not revoked manually. As long as the binding is valid, you will be able to receive and accept incoming calls with the credentials embedded in the notification payload sent by the Twilio service. Yes, this applies to the Programmable Voice mobile SDKs, both Android and iOS.
One example of unregister is for user to "log out" in the application - once unregistered the user (identity) won't get any incoming call invite.
We haven't really seen the didInvalidatePushTokenForType: callback being triggered yet, but according to the developer documentation by Apple, this method is called when the certificate is invalid, most likely when it is revoked or has expired. The application is supposed to tell the Twilio service by call the unregister method to remove the binding associated with the certificate.
-bobie
Ahhh. That makes sense. Thank you for your help! I will close this issue now.