Using the Platform SDK to Automatically Handle Token Refresh Instead of Manual Refresh Calls

How-To-Articles
1

Using the Platform SDK to Automatically Handle Token Refresh Instead of Manual Refresh Calls

What You Will Build

  • One sentence: what the code does when it is working. Configure the Genesys Cloud Platform SDK to automatically intercept expired authentication tokens, trigger a silent refresh cycle, and retry the original request without blocking your application logic.
  • One sentence: which API/SDK this uses. Genesys Cloud Platform SDK (Node.js and Python) interacting with the /api/v2/authorizations/oauth2/token endpoint.
  • One sentence: the programming language(s) covered. JavaScript/TypeScript (Node.js 18+) and Python 3.9+.

Prerequisites

  • OAuth client type and required scopes: Genesys Cloud Service Account with the login scope explicitly assigned. The login scope is mandatory for the SDK to perform automatic token refresh.
  • SDK version or API version: Platform SDK v2.0 or later, targeting Genesys Cloud API v2.
  • Language/runtime requirements: Node.js 18+ with npm, or Python 3.9+ with pip.
  • Any external dependencies: @genesyscloud/purecloud-platform-client-v2 (npm) or genesys-cloud-purecloud-platform-client-v2 (pip).

Authentication Setup

The Platform SDK abstracts the OAuth 2.0 Client Credentials flow by caching the access token and managing expiration internally. You must provide the environment URL, client ID, and client secret during initialization. The SDK stores these credentials and uses them to request a new token when the cached token expires or when the API returns a 401 Unauthorized response.

import { PlatformClient } from '@genesyscloud/purecloud-platform-client-v2';

const platformClient = new PlatformClient();

platformClient.setLoginClientCredentials(
  'https://api.mypurecloud.com', // Environment URL
  'your-client-id',
  'your-client-secret'
);

from purecloudplatformclientv2 import PureCloudPlatformClientV2

platform_client = PureCloudPlatformClientV2()
platform_client.set_environment('mypurecloud.com')
platform_client.login_client_credentials(
    client_id='your-client-id',
    client_secret='your-client-secret'
)

The SDK does not require you to manually call the token endpoint. When you attach credentials, the SDK performs an initial authentication request and caches the resulting JWT. The cache includes the exp claim, and the SDK schedules a background refresh approximately 30 seconds before expiration. If a request executes after the token has expired, the SDK intercepts the 401, triggers a refresh, and automatically retries the failed request.

Implementation

Step 1: SDK Initialization and Credential Configuration

Configuration requires the login scope. Without this scope, the SDK cannot refresh tokens and will permanently fail on expired credentials. Verify your Service Account configuration in the Genesys Cloud admin console before proceeding.

import { PlatformClient } from '@genesyscloud/purecloud-platform-client-v2';
import * as dotenv from 'dotenv';

dotenv.config();

const platformClient = new PlatformClient();

platformClient.setLoginClientCredentials(
  process.env.GENESYS_ENVIRONMENT || 'api.mypurecloud.com',
  process.env.GENESYS_CLIENT_ID,
  process.env.GENESYS_CLIENT_SECRET
);

export default platformClient;

import os
from purecloudplatformclientv2 import PureCloudPlatformClientV2

platform_client = PureCloudPlatformClientV2()
platform_client.set_environment(os.getenv('GENESYS_ENVIRONMENT', 'mypurecloud.com'))
platform_client.login_client_credentials(
    client_id=os.getenv('GENESYS_CLIENT_ID'),
    client_secret=os.getenv('GENESYS_CLIENT_SECRET')
)

The SDK requires the login scope to authorize the refresh grant. You can verify the active scopes by inspecting the decoded JWT payload. The scope claim must contain login. If your Service Account lacks this scope, the SDK will throw a configuration error during initialization.

Step 2: Observing Automatic Refresh on 401 Interception

The SDK uses an interceptor pattern to catch authentication failures. When the API returns a 401, the SDK pauses the request queue, calls the token endpoint, updates the cache, and replays the original request. You can observe this behavior by enabling SDK logging or by attaching a request interceptor.

import platformClient from './platformClient.js';
import { UsersApi } from '@genesyscloud/purecloud-platform-client-v2';

const usersApi = new UsersApi(platformClient);

// Enable debug logging to observe refresh cycles
platformClient.setLogLevel('debug');

async function fetchUserDetails() {
  try {
    const response = await usersApi.getUser({
      userId: 'your-user-id',
      expand: ['userSkills', 'routingProfile']
    });
    console.log('User fetched successfully:', response.body.id);
  } catch (error) {
    console.error('Request failed:', error.status, error.message);
  }
}

fetchUserDetails();

import platform_client_module
from purecloudplatformclientv2 import UsersApi

users_api = UsersApi(platform_client_module.platform_client)
platform_client_module.platform_client.set_log_level('debug')

def fetch_user_details():
    try:
        response = users_api.get_user(
            user_id='your-user-id',
            expand=['userSkills', 'routingProfile']
        )
        print('User fetched successfully:', response.body.id)
    except Exception as error:
        print('Request failed:', getattr(error, 'status', None), str(error))

fetch_user_details()

When the token expires, the SDK logs the refresh cycle before retrying the request. The underlying HTTP request to the authorization endpoint follows this structure:

Request:

POST /api/v2/authorizations/oauth2/token HTTP/1.1
Host: api.mypurecloud.com
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&client_id=your-client-id&client_secret=your-client-secret

Response:

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "bearer",
  "expires_in": 7200,
  "scope": "login"
}

The SDK parses the expires_in field, calculates the absolute expiration timestamp, and updates the internal cache. The original getUser request is retried with the new token attached to the Authorization header.

Step 3: Configuring Refresh Retry Policies and Timeout Handling

Network instability during the refresh cycle can cause cascading failures. The SDK includes configurable retry policies for authentication endpoints. You must configure these policies to handle transient 429 or 5xx responses during token refresh.

import platformClient from './platformClient.js';

// Configure retry behavior for authentication and general requests
platformClient.setRetryPolicy({
  maxRetries: 3,
  initialDelayMs: 1000,
  maxDelayMs: 5000,
  retryStatusCodes: [429, 500, 502, 503, 504]
});

// Set a strict timeout for the token refresh endpoint
platformClient.setAuthenticationTimeout(8000);

from purecloudplatformclientv2 import RetryPolicy

# Configure retry behavior for authentication and general requests
platform_client.set_retry_policy(
    max_retries=3,
    initial_delay_ms=1000,
    max_delay_ms=5000,
    retry_status_codes=[429, 500, 502, 503, 504]
)

# Set a strict timeout for the token refresh endpoint
platform_client.set_authentication_timeout(8000)

The retry policy applies to the /api/v2/authorizations/oauth2/token endpoint when the SDK triggers a refresh. If the authorization server returns a 429 Too Many Requests, the SDK waits for the Retry-After header value or falls back to exponential backoff. If the refresh fails after exhausting retries, the SDK throws an AuthenticationException and terminates the request queue. You must handle this exception in your application to prevent silent failures.

Complete Working Example

This script demonstrates a production-ready pattern for initializing the SDK, configuring automatic refresh, executing a long-running analytics query, and handling refresh failures gracefully.

import { PlatformClient, AnalyticsApi, WebChatApi } from '@genesyscloud/purecloud-platform-client-v2';
import * as dotenv from 'dotenv';

dotenv.config();

async function main() {
  const platformClient = new PlatformClient();

  // 1. Initialize credentials with auto-refresh enabled
  platformClient.setLoginClientCredentials(
    process.env.GENESYS_ENVIRONMENT || 'api.mypurecloud.com',
    process.env.GENESYS_CLIENT_ID,
    process.env.GENESYS_CLIENT_SECRET
  );

  // 2. Configure retry and timeout policies
  platformClient.setRetryPolicy({
    maxRetries: 3,
    initialDelayMs: 1000,
    maxDelayMs: 5000,
    retryStatusCodes: [429, 500, 502, 503, 504]
  });
  platformClient.setAuthenticationTimeout(8000);

  const analyticsApi = new AnalyticsApi(platformClient);

  try {
    console.log('Fetching conversation details...');
    
    // 3. Execute a request that may span token expiration boundaries
    const response = await analyticsApi.postAnalyticsConversationsDetailsQuery({
      body: {
        pageSize: 10,
        filters: [
          {
            type: 'conversationType',
            filterType: 'conversation',
            value: 'webchat'
          }
        ],
        interval: '2023-10-01T00:00:00.000Z/2023-10-02T00:00:00.000Z',
        groupBy: ['conversationType'],
        aggregations: [
          { name: 'duration', type: 'sum' }
        ]
      }
    });

    console.log('Query completed. Total results:', response.body.total);
    response.body.entities.forEach(entity => {
      console.log(`Group: ${entity.groupBy}, Duration: ${entity.aggregations[0].value}`);
    });
  } catch (error) {
    if (error.status === 401) {
      console.error('Authentication failed. Verify client credentials and login scope.');
    } else if (error.status === 429) {
      console.error('Rate limit exceeded. Implement request throttling.');
    } else {
      console.error('Unhandled error:', error.status, error.message);
    }
  }
}

main();

import os
import sys
from purecloudplatformclientv2 import (
    PureCloudPlatformClientV2,
    AnalyticsApi,
    PostAnalyticsConversationsDetailsQueryRequest,
    ConversationFilter,
    Aggregation
)

def main():
    platform_client = PureCloudPlatformClientV2()
    platform_client.set_environment(os.getenv('GENESYS_ENVIRONMENT', 'mypurecloud.com'))
    
    # 1. Initialize credentials with auto-refresh enabled
    platform_client.login_client_credentials(
        client_id=os.getenv('GENESYS_CLIENT_ID'),
        client_secret=os.getenv('GENESYS_CLIENT_SECRET')
    )

    # 2. Configure retry and timeout policies
    from purecloudplatformclientv2 import RetryPolicy
    platform_client.set_retry_policy(
        max_retries=3,
        initial_delay_ms=1000,
        max_delay_ms=5000,
        retry_status_codes=[429, 500, 502, 503, 504]
    )
    platform_client.set_authentication_timeout(8000)

    analytics_api = AnalyticsApi(platform_client)

    try:
        print('Fetching conversation details...')
        
        # 3. Execute a request that may span token expiration boundaries
        body = PostAnalyticsConversationsDetailsQueryRequest(
            page_size=10,
            filters=[
                ConversationFilter(
                    type='conversationType',
                    filter_type='conversation',
                    value='webchat'
                )
            ],
            interval='2023-10-01T00:00:00.000Z/2023-10-02T00:00:00.000Z',
            group_by=['conversationType'],
            aggregations=[
                Aggregation(name='duration', type='sum')
            ]
        )

        response = analytics_api.post_analytics_conversations_details_query(body=body)

        print('Query completed. Total results:', response.body.total)
        for entity in response.body.entities:
            print(f"Group: {entity.group_by}, Duration: {entity.aggregations[0].value}")
            
    except Exception as error:
        status = getattr(error, 'status', None)
        if status == 401:
            print('Authentication failed. Verify client credentials and login scope.')
        elif status == 429:
            print('Rate limit exceeded. Implement request throttling.')
        else:
            print('Unhandled error:', status, str(error))

if __name__ == '__main__':
    main()

Common Errors & Debugging

Error: 401 Unauthorized After Refresh Attempt

  • What causes it: The Service Account lacks the login scope, or the client secret has been rotated without updating the application configuration. The SDK attempts a refresh, receives a 401 from the authorization server, and propagates the failure.
  • How to fix it: Navigate to the Genesys Cloud admin console, locate the Service Account, and verify the login scope is checked. Rotate the client secret in the console and update your environment variables.
  • Code showing the fix:
platformClient.setLoginClientCredentials(
  'api.mypurecloud.com',
  process.env.NEW_CLIENT_ID,
  process.env.NEW_CLIENT_SECRET
);

Error: 429 Too Many Requests During Token Refresh

  • What causes it: Multiple concurrent services share the same Service Account and trigger simultaneous refresh requests. The authorization server enforces a strict rate limit on token issuance.
  • How to fix it: Distribute refresh load by staggering application startup times or by implementing a distributed cache (Redis) to share a single token across instances. Configure the SDK retry policy to respect Retry-After headers.
  • Code showing the fix:
platform_client.set_retry_policy(
    max_retries=5,
    initial_delay_ms=2000,
    max_delay_ms=10000,
    retry_status_codes=[429, 503]
)

Error: AuthenticationException: Refresh Failed After Max Retries

  • What causes it: Network partition between your deployment environment and the Genesys Cloud authorization endpoint, or firewall rules blocking outbound HTTPS traffic on port 443.
  • How to fix it: Verify network connectivity to https://api.{env}.mygen.com. Ensure proxy configurations are correctly passed to the SDK if operating behind a corporate proxy.
  • Code showing the fix:
platformClient.setProxy({
  host: 'proxy.corp.internal',
  port: 8080,
  username: 'proxy-user',
  password: 'proxy-pass'
});

Official References