The payload sent to the SmartApp handler is documented as follows:
What’s the difference between the authTokens in the UPDATE lifecycle and the EVENT lifecycle?
Despite giving them the same name and the same description they are clearly different.
At run time the one received in UPDATE is a short format (like a GUID), is accompanied by a refresh token, and works like a SmartApp token in accordance with the documentation. However, the one received at EVENT is an 800 odd character token. How is this to be used?
Given that it’s a common pattern to call the API during the event lifecycle, am I expected to “remember” the authToken received during the UPDATE cycle or is there some way I should be using the longer token? Is there a different authorization scheme that can be used in the API call.
Naturally, it wouldn’t be ideal to expect SmartApps (with their millions of users) to hold on to the authTokens they receive, since they would have no idea when the next lifecycle handler will be called, and being stateless would be a lot easier to implement than having to store millions of trusting users authTokens somewhere. So I’m hoping that in the payload passed in during the EVENT lifecycle, there is everything I need to make a call to the API.