I'm kinda confused using Google API
I've a FORM on my website for booking events on my public calendar. Whenever a user books an event, I make a call to get an Access Token (using Client ID & Secret and Refresh Token), but using the same Refresh Token that I generated initially. For every new Access Token, I'm using the same Refresh Token. It's all working fine. But I don't understand the flow.
Do I need to generate a new Refresh Token on every call? What are some limitations of not doing so? Can I keep on generating Access Token with the same Refresh Token indefinitely? Thanks!
Refresh tokens are long lived they can expire if the user who's account was used to create it removes access. If its not used in the last six months google will also expire the refresh token. Here is one that is a bit tricky if you use the client id to request access of the user you get a refresh token if you do it again you get another refresh toke technically both refresh tokens work you can do this up to 50 times on the 51's time the first one will be expired. You can use a refresh token as many times as you want to get a new access token.
My question for you is who's google calendar are you writing to the users or some default one on your website? If this is a central Google calendar that you are writhing to then you should consider using a service account rather than Oauth2. I have an article on how service accounts are used if you are interested. Google Developer service accounts