Best Practices
Best Practices
The following are a list of best practices which are suggested when building a client to USTA:
Check for a 401 after every API request
Get a new token - once only
Retry the API request - once only
Protect your access tokens and refresh tokens
Once delivered to the client app, the tokens provide access to your information an the client app is responsible for keeping them safe
Access tokens are valid for 1 hr before requiring refresh via refresh token
Always use HTTPS rather than HTTP
API raises exceptions for many different reasons, such as invalid parameters, authentication errors, and connection failure. We recommend writing code that gracefully handles all possible API exceptions. See error codes page for a complete list.
Large data sets are paginated. Read the data in chunks following pagination implementation and handle one chunk at a time.
Token TTLs
The following are time-to-live (TTL) settings for token expiration. The JWT token has a claim (field) that needs to be checked to when it expires. It is expressed as a NumericDate measured in UTC time format.
Token | TTL | JWT Claim |
|---|---|---|
Access Token | 1 Hour | exp |
Refresh Token | 30 Days | exp |
Working With JWT Tokens
JWT tokens are encrypted JSON format and contain fields called claims. Once you generate an Access Token, you can examine the contents at http://jwt.io . This is a valuable debugging tool.
Bound Mode/Authentication Code
Check For 401 Status Response To Determine Whether To Use Refresh Token
One simple way t deterine if the Access Token has expired is to check each API call for a 401 status in the response. In this case, use the Refresh Token to get a new short-lived Access Token without additional authentication.
Keep Track Of Expiration Time To Live
A more involved method is to track the expiration TTL when you retrieve your Access Token. If the time has expired, then use the Refresh Token to get a new short-lived Access Token and repeat the API call with the new Access Token.
See: https://ustadigital.atlassian.net/wiki/spaces/DEV/pages/edit-v2/998604834
Unbound Mode/Authentication Code
Check For 401 Status Response To Determine Whether To Request A New Access Token
One simple way t deterine if the Access Token has expired is to check each API call for a 401 status in the response. In this case, call the Token endpoint to get a new a new short-lived Access Token without additional authentication and repeat the API call.
Keep Track Of Expiration Time To Live
A more involved method is to track the expiration TTL when you retrieve your Access Token. If the time has expired, call the Token endpoint to get a new a new short-lived Access Token without additional authentication and repeat the API call.
See: https://ustadigital.atlassian.net/wiki/spaces/DEV/pages/1000997095
Pagination
Pagination is implemented on endpoints that contain potentially large result sets.
"pagination": {
"currentPage": 0,
"pageSize": 0,
"totalPages": 0,
"totalResults": 0
}Where:
currentPage - the index of the page within the set.
pageSize - the number of items on each page.
totalPages - the upper bound of pages for looping.
totalResults - the aggregate number of items returned across all pages.