Session token TokenExpiredError

monday Apps & Developers Feature Requests - API and Apps Framework
1

Hey,

I’m getting quite a lot TokenExpiredError when trying to verify my board view’s session token using my app’s client secret.

For how long is the session token I’m getting using monday.get("sessionToken") valid for, and if it’s expired, how can I get a new one without reloading the board view? Just call monday.get("sessionToken") again?

Thanks,
Ronen
Eazyform

2

Hi Ronen,

Great question!

Have you had a chance to check out the “OAuth & Permissions” section of our developers/apps page yet? Here is the page in question: https://monday.com/developers/apps/oauth.

The section mentions that the authorization code which is generated from an authorization endpoint will expire after 10 minutes. However, access tokens which are different do not expire and will be valid until the user uninstalls your app.

How long are your sessions? It seems the issue here pertains to your authorization code, not the resulting access token?

-Helen

4

Helen, I’m intimately familiar with the page you sent me. My question has nothing to do with oauth. Please pass it forward to someone familiar with the subject.

Thanks

5

Hi Ronen,

My apologies for misunderstanding your first post!

To clarify: the sessionTokens you were referring to are indeed methods in our SDK. They’re encoded as JWT tokens that return a payload and can be parsed using internal libraries such as jsonwebtoken, jose, etc. etc.

FYI the payload includes an “exp” field, and this is the field that will tell you the time (in epoch) of when the token expires!

Our JWT tokens expire after 24 hours.

For curiosity’s sake, here’s a super helpful website you can also use to decode the JWT token you see: https://jwt.io/.

I hope this helps answer your question.

-Helen

6

@Helen, thanks for the info, repeating my question from above - how can I get a new one without reloading the board view? Just call monday.get("sessionToken") again?

Also, I’m using the sessionToken I get from monday.get(“sessionToken”) within less than a minute from the moment I get it and still get those errors, which indicates a bug on your end. Do you guys reuse old ones if they haven’t expired?

Thanks,
Ronen

7

Hi Ronen,

Hmm no-- I don’t believe that would work.

I just tested this out on my end, and a new monday.get(“sessionToken”) would merely return the same session token. As I understand it, you can only get a new sessionToken upon reloading.

Regarding your second question about reusing old tokens-- yes, we will keep using the same sessionToken until a new one is required after 24 hours.

Do you mind sharing a bit more about your process here, and what you’re trying to do? For instance, why are you using your client secret to verify when using our SDK?

Thanks for walking me through it :).

-Helen

9

Hello,

I have just stumbled upon this post. I am running into this exact issue. Our app has both a board view and an item view. We’re using the sessionToken from the monday.com js sdk for our client <-> server communication. I can verify that this sessionToken is valid for 24 hours. After 24 hours the js sdk doesn’t return a new sessionToken, which it also doesn’t before the sessionToken is expired. The sessionToken seems to be tied to the browser session. Refreshing your browser does return a new sessionToken, it doesn’t matter if the previous was still valid. This is an issue in both item and board views.

Client side calls to the GraphQL API are not affected by this, even after the sessionToken from the sdk is expired I can still make calls to the GraphQL API.

Our board and item views will not work for customers who don’t refresh their browser for more than 24 hours with monday.com in a tab until they perform a hard refresh.

I agree with @rbabayoff , this looks like a bug on your end.

Kind regards,
Fatih