> This is how it was designed for personal tokens.

Where is that behavior documented?

Hi Bretta,

Ok, I understand.  Thanks for clarifying. 🙂 

The documentation is not very clear about the behaviour.  

Best regards,

Johan

That's my point - if it's not clear or if it's assumed, then it's a (documentation) bug.

I still think that the answer is not correct (i.e. there may be a problem with your script).

When I last tried - but that was a while ago (I shot a PowerShell demo with AIQ, it's on YouTube) - I'd rotate my token and it worked. 

Hi,

This is my script. Hope you find something wrong with it. 🙂

/Johan

import requests, http.client, os, time, json

def open_refresh_token(refresh_token_file):
file = open(refresh_token_file,"r")
refresh_token = file.readline().strip()
file.close()
return refresh_token

def save_new_refresh_token(new_refresh_token, refresh_token_file):
file = open(refresh_token_file,"w")
file.write(new_refresh_token)
file.close()

def get_new_refresh_token(refresh_token):
conn = http.client.HTTPSConnection( "api.activeiq.netapp.com" )
conn_data = json.dumps( { "refresh_token": refresh_token } )

conn.request( "POST", "/v1/tokens/accessToken", conn_data )

# get the response from the HTTPS request
res = conn.getresponse()

if res.status != 200:
print( "Could not get new token data based on current refresh token:", res.status, res.reason )

conn_data = json.loads( res.read().decode( "utf-8" ) )

new_access_key = conn_data["access_token"]
new_refresh_key = conn_data["refresh_token"]
return new_access_key, new_refresh_key

def main():

refresh_token_file = "c:/users/sejha/Downloads/refresh-token.txt"

refresh_token = open_refresh_token(refresh_token_file)

new_access_token, new_refresh_token = get_new_refresh_token(refresh_token)

save_new_refresh_token(new_refresh_token, refresh_token_file)

main()

You could try a newly obtained refresh-token.txt in a new script to see if it works elsewhere i.e. if the token itself is valid.

https://docs.netapp.com/us-en/active-iq/task_generate_tokens_API_services.html

• When obtained programmatically, tokens always come in sets of two: An Access Token and a Refresh Token. The Access Token must be passed to successfully use all APIs (except for one - the Refresh Token is used to programmatically obtain a new set of tokens).

• On the Main API Services page, click Generate Token to view and download the access token and refresh token to invoke APIs.

• You should download and save the access token and refresh token for later use. Access tokens expire one hour after generation and refresh tokens expire after seven days. The refresh token used in this API call will be invalidated after a new refresh token is generated.

It appears to me that a new refresh token is good as long as it's refreshed before 7 days.

It doesn't say that tokens must be generated from https://activeiq.netapp.com/api Generate Tokens.

With your code I get an error, maybe due to poor formatting (indentation, etc.) on my side:

from token import EXACT_TOKEN_TYPES
ImportError: cannot import name 'EXACT_TOKEN_TYPES' from 'token' (/tmp/token.py)

To save time I used the example from https://activeiq.netapp.com/catalog/internal/api-reference/activeiq-public/access-token (Python, right-hand side, copied below) and with this repeated runs returned new access_token and refresh_token on each run.

Then I'd replace my refresh_token with the one from last response and run again and was able to refresh it again. I can't fast-forward 7 days to see if it'd still work that way, but again, the documentation does not say that one loses the ability to refresh tokens after 7 days, it only says that they should be refreshed within 7 days.

You can try the same to test if your `refresh_token` is usable. 

EDIT: when I tried to save this post, I got an error about invalid HTML code in my post which was "automatically removed" - great, maybe the script below has been crippled now - so better get it from the URL above than copy this sample.

#!/usr/bin/python3
import http.client

conn = http.client.HTTPSConnection("api.activeiq.netapp.com")

payload = "{\"refresh_token\":\"ey...rA\"}"

headers = {

'content-type': "application/json",

'accept': "application/json"

 }

conn.request("POST", "/v1/tokens/accessToken", payload, headers)

res = conn.getresponse()

data = res.read()

print(data.decode("utf-8"))

I have to wait until Wednesday this week before I will recieve a refresh token that will fail. ( I manually downloaded a refresh key last wednesday) I can run my script as many times I want during one week and it works perfectly. Each time the script will replace existing refresh token with the new one but as soon as 7 days has passed since the last manual download it fails.. If this is the expected behaviour it would be good if the documentation is updated.    

All right. Let us know how it goes.

You may submit an issue (request for documentation enhancement) by yourself if you have a Github account

- Go to https://docs.netapp.com/us-en/active-iq/task_generate_tokens_API_services.html

- In top right corner, click on "Request doc changes" which will take you to Github where you can propose a better explanation, or simply ask for a clarification and let them brainstorm how to make it better

I have now submitted an issue on Github.

Thanks for your help!

/Johan

Hi @jhammer - okay, well at least we got to the bottom of this.

I still think it's a bug in documentation and leaving the current wording in place will continue to confuse users.

I get my other API tokens from various API providers and three providers I use often issue tokens that last forever (literally, I get tokens that never expire and I use that duration for a token that's "Read Only" - I use that one in Postman to examine data structures returned by the API), so in my mind unusually short duration should be clearly explained in the API docs, which it currently is not.

Hi  @elementx 

I fully agree. About a week ago I did a request on github to get the documentation updated so hopefully it will be done soon.