I'm looking for some guidance with the upcoming requirement for expiring access tokens.
The eCommerce system I work with has a Clover web integration for processing orders/payments and an Android app that's main use is onboarding new Clover merchants from Clover devices. The Android app generates an access token and sends it to our web API endpoint and is meant to be one-time use but merchants can manually update their access token from there as well.
It appears that updates will be needed on the web portion of the integration to migrate existing merchant API tokens ( https://docs.clover.com/docs/legacy-token-migration-flow ), and also to manage expiring tokens. However, it is unclear to me if changes are needed for the Android app.
My main questions are:
1) Does the Android onboarding app that uses CloverAuth.authenticate() need any changes to manage expiring access tokens or to save refresh tokens? I noticed this post has a similar question but at the time of posting this has no responses yet: https://community.clover.com/questions/62792/epxiring-access-tokens-for-android-and-oauth-for-c.html
2) The docs mention that "Frontend apps that use OAuth to authenticate users to their own apps often don't need a refresh token." ( https://docs.clover.com/docs/refresh-access-tokens ). How do I know if the Android app that sends an access token to our app's web API needs or doesn't need to create the refresh token?
Thanks for any help.