Skip to main content

Hey community,

I’m facing a tricky issue with my application when fetching boards, items, images, and document binaries using the Miro API.

Here’s the flow:

  1. Token Generation: Each time the application starts, it obtains a token to authenticate API requests.
  2. Handling Redirects: When fetching images and binary documents, I receive a 307 Redirect. I handle this by extracting the Location header and redirecting accordingly.

This works fine up to this point.

However, the issue arises after the redirect:

  • The redirected host requires a new token, causing my application to break since subsequent requests still use the old token.

My experience with APIs suggests it’s possible to maintain multiple valid tokens simultaneously for different requests.

My Question:

Why does the Miro API invalidate - delete the old token when a new one is generated?

Is it possible to have multiple tokens active at the same time for different requests in Miro?

Any insights or suggestions would be greatly appreciated!

Let me know if you have any questions - i know that this topic is kinda complicated.

Thanks in advance,

 

BR

 

Vas

Hey ​@vkoko 

Have you tried setting the redirect parameter to false ? You should get a URL which is valid for 60 seconds and can be used to retrieve the resource file directly. If I understand it correctly, then this approach avoids the 307 TEMPORARY_REDIRECT HTTP response and the need to handle redirects, which should prevent the issue of requiring a new token after the redirect.

Would this be an option for you?
 

Why does the Miro API invalidate - delete the old token when a new one is generated?

This maintains a security environment / helps prevent potential security risks associated with having multiple active tokens. 


Hey ​@Horea Porutiu 

Thank you for your suggestion—it makes sense and is working as expected.

However, the issue is that I need to make an additional request to fetch the actual file, which results in long wait times due to API throttling.

This is why I would like to avoid the extra request.

Could you please confirm if it’s not possible to have more than one token at the same time?

Best regards,
Vas


 

Hey ​@vkoko 

From what I understand, you can only have one token per app per user. While the extra request is not ideal, it may be the best way forward for now.

I've also tested this in Postman with redirect=true and was able to get a 200 without getting the 307 redirect, so it's possible Postman handles this redirect and you may be able to get away without the extra API call.


Hello ​@Horea Porutiu,

Thanks for your promt answers. 

I’ve identified a potential issue that could arise when making changes to thousands of boards using my app. 

Imagine this scenario:  

1. My app starts processing changes in boards (creating items, connectors etc) and runs for over an hour. By that point, it has completed approximately 85% of the task.  
2. The access token used for authentication expires after one hour.  

If my app relies on a single token for its entire execution, the process will fail once the token expires, 
as the already running application cannot utilize the refresh token. 

This means the app won’t be able to complete the task successfully. 

Is my understanding of this limitation correct?  

Additionally, I noticed something when testing with Postman:  

- Postman receives the same 307 redirect code but handles the redirection automatically.  
- In the console logs (please see the attached picture, focusing on the bottom-right corner), you can see that when the request is sent with `redirect = true`, Postman receives a 307 status. 

It then automatically sends another request and ultimately receives a 200 OK status along with the actual binary file.  

Could you clarify if there’s a way to replicate this behavior programmatically or any workaround for the token expiration issue?  

Thank you.  
 

 

Postman:

 

 


Hi ​@vkoko 

Have you tried something like this?

curl --location 'https://api.miro.com/v2/boards/*******/resources/documents/******?redirect=true' \
--header 'Authorization: Bearer ******' \
--output ~/Desktop/img1.pdf

This way I was able to automatically download the binary file and save it to my desktop as a PDF. 

Would this solve your issue? 


Hey  ​@Horea Porutiu 

Thanks for your suggestions.

Yes the curl command that you send me works fine but still i can not use it in my script.

Anyway, the conclusion is that we can have 1 token - per app - per user.

And there is no way to have 2 or more active tokens at the same time.

 


Reply