At Infusionsoft we are expected to provide secure storage for confidential data to our end users, while also providing third-party access to data at an end-user’s explicit request. When you build an integration with the Infusionsoft API, you are acting at the behest of a user to access that user’s application data, and the OAuth token represents that authority. You only need to be granted it once; you can refresh it as needed within the window to prevent it from becoming stale, via cron, via session initialization or any number of other methods. The window for refreshing is currently six months, although we recommend you do so to protect your users on a much more frequent basis.
Does it require a few extra steps to implement? Definitely. We’re working to minimize the impact of that, and have plans for ways to improve authentication to ease consumers through it. Recent changes to Account Central have already made it much, much easier to get a token for personal use if required. Things like refreshing can be a hassle to set up, but it also prevents third-parties who gain access to the token from having unlimited lifetime access to the user’s data.
Does it provide benefits and security that far outweigh it’s costs? Absolutely. We are dedicated to making the platform reliable and secure so that your clients data is protected.
OAuth enables this by allowing an explicit, individually revokable grant to a particular API consumer for a particular user’s application data, whereas a single token for each application is neither secure (since it is shared among all consumers), individually revokable (since resetting it prevents all integrations from accessing data to that application) or tracable (since all consumers access via the same key).