Authentication

Please check the question below

Hi Karan,

Thanks for your detailed follow-up questions! Let me address each one:

Question 1: OAuth Session Management

ServiceM8 data without requiring you to stay logged into ServiceM8. The OAuth tokens work independently of your ServiceM8 session status.

For sub-admin access, your implementation should store the tokens securely and determine what data to show based on your business logic. If sub-admins are also ServiceM8 users with their own accounts, each would need to complete their own OAuth flow to access their specific ServiceM8 data - you cannot share tokens across different ServiceM8 accounts for security reasons.

Question 2: API Keys vs OAuth

API Keys are not "under OAuth" - they are a separate authentication method and can be used for server-to-server integrations as well. They are secure when managed properly. API Keys allow for reading and posting data to ServiceM8.

————————
about 1 hour ago by Karan Kunal Karan Kunal
Can we persist OAuth token and customise expiry duration and store in database to be fetched used by sub-admins of same servicem8 account ?

For access-token: 1 hour (fixed, cannot be changed by developers).
For refresh-token: 1 year (expiry time) which can be used in the backend server to generate new OAuth access token within the interval of every 1 hr