For all Z-Commerce API calls, save the
login() call, you'll need to provide a valid session token to authenticate yourself to the Zuora system. As with any session based authentication, the session token has a certain lifespan, beyond which it expires and is no longer valid. The session token can be retrieved using the
login() API call. You have multiple options for managing the session tokens.
There are three ways of managing the session token:
- The API client tracks the session token lifespan
- The API client logs in to Zuora before every call
- The API client handles session token expiration exceptions
See Log in to the Zuora SOAP API for more information on the sequence of API calls required to retrieve a Zuora session token.
The API Client Tracks the Session Token Lifespan
The API client tracks the session token lifespan via a timer set to expire at 10 minutes. Zuora recommends that you use this method.
At the moment of timer expiration, the client logs into Zuora again, getting an updated token. This new token would be used for the next 10 minutes, and so on. The 10 minute timer duration gives a comfortable margin from the minimum Zuora session token expiration of 15 minutes.
The API Client Logs in to Zuora Before Every Call
Having the API client log in to Zuora before every call is the simplest management method. Although it incurs the overhead of another API call, it simplifies the client logic.
The API Client Handles Session Token Expiration Exceptions
When a session token expires, a Zuora API call will throw an authentication exception. The API client can then log in and re-try the call again. This is not recommended, as the exception handling logic unnecessarily complicates the API client.