How-To Guides
How to Manage API Access Tokens and Refresh Tokens
Best practices for securely storing, refreshing, and rotating Smartcar API tokens.
This guide explains how to store, refresh, and rotate tokens using the Smartcar API.
API Access Token vs. Application Management Token
- API Access Token: Used to access vehicle data and issue commands on behalf of a vehicle owner. These tokens are obtained through the OAuth flow after a user connects their vehicle and are required for all Smartcar API requests involving vehicle data.
- Application Management Token: Used to manage your Smartcar application itself (e.g., configuring webhooks or managing your vehicles). This token is found in the Smartcar Dashboard and is not used for accessing vehicle data or making API requests on behalf of users.
1
Store Tokens Securely
- Store both the
access_tokenandrefresh_tokenin your backend database, never in client-side code. - Encrypt tokens at rest and restrict access to only necessary backend services.
- Associate tokens with the correct user and vehicle for easy lookup and management.
2
Use the Access Token for API Requests
- Use the
access_tokenas a Bearer token in theAuthorizationheader for all API requests.
- If the access token is valid, the API will return the requested data.
3
Detect Expired Access Tokens
- If an API request returns a 401 Unauthorized error, the access token may have expired.
- In this case, use the refresh token to obtain a new access token.
4
Refresh the Access Token
- Make a POST request to the Smartcar OAuth token endpoint with
grant_type=refresh_token.
- Store the new
access_tokenandrefresh_tokenin your database, replacing the old values.
5
Rotate and Revoke Tokens
- Always update both tokens after a refresh.