Each tenant application will have three security elements associated with it:
They do not expire, but can be refreshed using the developer's portal.
As you'll notice in the developer's guide, a user session ends with receiving a
temp_token. The reason we're not sending the
access_tokendirectly is that we designed the session flow to be developed entirely in a web/mobile context. This choice also facilitates the future development of client SDKs. Hence the middleware returns a temporary token that needs to be sent to your backend first and then exchanged for the final
access_tokenvia a server-to-Finqware API call.
As a side note: we're also considering introducing a callback endpoint as an option. Following the end of a session, Finqware would call an API endpoint provided by your server for the token exchange.