Clarify that refreshed access tokens don't invalidate the scope of txnid (#1236)

2022-09-26 14:39:43 -06:00 · 2022-09-26 14:39:43 -06:00 · 6c6c602845
commit 6c6c602845
parent 7ab3aecf29
6 changed files with 14 additions and 6 deletions
--- a/content/client-server-api/_index.md
+++ b/content/client-server-api/_index.md
@ -213,12 +213,19 @@ See the [Server Notices](#server-notices) module for more information.

 The client-server API typically uses `HTTP PUT` to submit requests with
 a client-generated transaction identifier. This means that these
-requests are idempotent. The scope of a transaction identifier is a
-particular access token. It **only** serves to identify new requests
+requests are idempotent. It **only** serves to identify new requests
 from retransmits. After the request has finished, the `{txnId}` value
 should be changed (how is not specified; a monotonically increasing
 integer is recommended).

+The scope of a transaction ID is a "client session", where that session
+is identified by a particular access token. When [refreshing](#refreshing-access-tokens)
+an access token, the transaction ID's scope is retained. This means that
+if a client with token `A` uses `TXN1` as their transaction ID, refreshes
+the token to `B`, and uses `TXN1` again it'll be assumed to be a duplicate
+request and ignored. If the client logs out and back in between the `A` and
+`B` tokens, `TXN1` could be used once for each.
+
 Some API endpoints may allow or require the use of `POST` requests
 without a transaction ID. Where this is optional, the use of a `PUT`
 request is strongly recommended.