This is what I received from Dwolla support:
Is access/refresh token pair unique by application or by Dwolla customer/account?
To clarify access tokens in greater detail: There are two types of access tokens used for API v2.
- An application access token which gives an application access to authenticate against resources that belong to the app itself, which are webhooks, webhook-subscriptions, and events.
- An account access token which is issued to an application and used to interact with resources that an account has access to such as Transfers, funding sources, and Customers.
An access token and refresh token for a user account is issued to an application and is unique to the app it is issued to. Note: For white label their will be a single account access token that is in charge of all white label related interactions.
Based on you OAuth doc, the refresh_token lifetime is 60 days and our question is:
We are not sure if its only for 60 days after user authorisation (in this case, it can be used up to 2 invoices/months)
A refresh token is paired with an access token and the time to live is based on when it was issued to the application. For white label, this 60 period isn’t an issue as you will be refreshing authorization quite often.
Is this period reseted every time the token pair is refreshed? (we can call your api monthly and keep the latest valid token)
Correct. Every time you refresh authorization on an account token you’ll receive a new access token and refresh token pair. The access token will have a ttl of 1 hour and the refresh token 60 days.
We try to know if we need to need to ask for an user auth after this period or if our app can continue creating transactions without user interaction.
Adding on to my previous replies above, and assuming this is for white label, you’ll interact with each user on your app with a single account access token(your own “partner” Dwolla account). You’ll be creating a Customer object in the API which represents a user on your app.
If refresh_token change every time the access_token is refreshed we should store the valid (latest?) refresh token in a database. Is that correct?
Correct. Once you refresh authorization the existing token set will be invalidated. The new refresh token will need to be stored.
From the example provided in your email, it appears that you are wanting to send variable amounts for variable dates in the future. With ACH, a specific authorization is required in order to allow this functionality. The user must agree to an on-demand bank transfer authorization when they are adding their funding source(Bank Account) within Dwolla. If using IAV, it’s as simple as us enabling a feature on the Partner Dwolla Account which allows the authorization text to display.
Scheduled/recurring & the Dwolla API:
Dwolla doesn’t have scheduled/recurring built into our new v2 API. If you’re looking to do recurring payment type functionality then you will need to build your own scheduler and then call our Transfers API to kick off the transaction on a specified date.