Difference between authToken and refreshToken
hatsumatsu opened this issue · comments
Looking through the docs I couldn't find an explanation of how authToken and refreshToken differ except in their default lifespan (5min vs. 1 year?). Both seem to enable querying private data like draft posts but are they completely interchangeable? When should we prefer one over the other?
PS: Thank you for providing this powerful toolset to the WP community.
@hatsumatsu The auth token is only valid for 5 mins, so after those 5 minutes you would need to fetch a new authtoken with your refreshtoken. Refreshtokens should/can only only be used to fetch new authtokens.
@martinowren Thank you for clarifying.
Refreshtokens should/can only only be used to fetch new authtokens.
In my tests though refteshTokens do allow fetching private data like draft posts without obtaining a new authToken (which is handy).
The official example if how to use wordpress with nextjs uses this approach, too.
@martinowren Looking at this question and #144 again I assume the refreshToken
and authToken
returned from the login
mutation reflect the permissions of the provided user. So logging in a user with the author
role would return tokens that do not allow to change posts from other users?
Is this how the plugin works?