[OSM-dev] oauth token validity

Matt Amos zerebubuth at gmail.com
Tue Sep 1 01:00:03 BST 2009

On 8/31/09, Etienne Chové <chove at crans.org> wrote:
> Hi,
> I'm trying to implement oauth on my online application. It works (using
> the dev server) and I can get request token, authorize it, get access
> token and modify data.
> My question are on access token expiration :
>   - how to know when a token will expire ?

currently tokens do not expire unless manually revoked by the user.
there is talk of adding a feature for app developers to set an expiry
time, but it has not been implemented.

>   - does user activity change expiration time for the token ?


>   - how to know what a token is allowed to access/modify ?

when you set up your app you ask for certain permissions. the user can
grant some, but not necessarily all, of these. when you make requests
to a URL which isn't permitted, you will get a forbidden response with
the error text "OAuth token doesn't have that capability."

>   - how to know if a token still active ?

make a request. if it doesn't work, the token has been revoked or
never had that permission. forward the user to a page where they can
set it up ;-)

> Sorry for my bad skills, I discovered oauth this morning.

no problem - the more the merrier :-)



More information about the dev mailing list