V2 API - new user access_tokens revoke old ones?

Hey all!

Been trying to add Patreon integration to a webapp I’m building in order to reward patrons and could use some clarification on something :sweat_smile:

Tech / Env:

  • Next.js (typescript)
  • NextAuth
  • prisma (postgres)
  • NOT using patreon-js since that seems to only support v1 API

Repo / Setup:
A user (patron) visits my webapp on their desktop and signs in via Patreon’s OAuth2. Webapp receives auth tokens for that user (access_token, refresh, token, expires_in, etc). Webapp stores those tokens in my DB so we can make API calls on their behalf. That part works fine and as expected.

That same user then opens up the webapp on their phone and signs in. Patreon, as expected, issues another set of auth tokens with the OAuth2 response. These DO NOT get stored in the db since the already stored tokens are assumed to still be valid. When tested, the second (mobile sign in) set of auth tokens work as expected but the first (desktop sign in) set does not.

Question:
Is this expected behavior? I would imagine that both sets of auth tokens would work (as long as they haven’t expired, been manually revoked by the user, etc.), but I may misunderstand how OAuth2 tokens generally behave. Are only 1 set of auth tokens ever valid for a user per client? Is the “solution” just to always store and use the last set of auth tokens received?

I’ve gone ahead and decided to go with the workaround (?) I mentioned in my original post. On every sign-in, when Patreon API returns auth tokens to me I update my user’s account table with the tokens received. This seems to be working fine for now. Will update if I run into any other hurdles but always happy to learn if anyone ends up knowing a better way to manage things.

If the user goes through oAuth flow another time using mobile, then another set of tokens would be issued. Thats normal behavior. So…

Patreon API returns auth tokens to me I update my user’s account table with the tokens received

…that is the way to do it. Have one central place that stores the tokens.