In a number of Exact Online countries including UK and BE, too many requests via https://start.exactonline.TLD/api/oauth2/token of an access token with a refresh token now return an HTTP 400 (Bad Request) (Code Grant Flow only, this restriction does not apply to the Implicit Grant Flow).
The payload contains:
{ "error": "access_denied", "error_description": "Rate limit exceeded: access_token not expired" }
The HTTP header Reason shows the same error message, plus an error code TooEarlyToRefreshTokens:
TooEarlyToRefreshTokens: rate limit exceeded: access_token not expired
This is not yet included on in the documentation.
The HTTP header Retry-After contains a back-off time in seconds such as 569 (9 minutes, 29 seconds).
If this error message occurs, the valid refresh token appears to expire and renewal of authorization is required.
Where possible, Invantive products will be updated to reflect this. It is not clear if and when this functionality with these limitations will be used in Belgium and/or the Netherlands. It is also not known how Exact Online’s own apps will handle this when used on for example multiple phones for one user.