According to this tutorial after authentication we get code parameter and it is exchanged with permanent access token, right ?
My doubt is do we need to get permanent access token every time user opens the installed app? Is there any validity for permanent access token?
According to the tutorial, every time user takes app from shopify dashboard it redirects to /shopify?shop=XXXX then it further redirects to oauth url (https://' + shop + '/admin/oauth/authorize?client_id=' + apiKey + '&scope=' + scopes + '&state=' + state + '&redirect_uri=' + redirectUri) then it further redirects to /shopify/callback in callback it verifies hmac and then code is exchanged with permanent access token. So this means every time user takes app it gets new permanent access token right?
An offline, permanent access token is just that, permanent. It will be valid until the app is uninstalled or your revoke your permissions. When you are putting the user through the oAuth flow after you've already received an access token, you are doing so to verify the request came from Shopify and is legitimate (through HMAC and state comparisons) more than to receive a new token. In fact, you'll only receive a new token if you update your scopes or it's a fresh install.
Let me know if you still have questions about this flow.
@Busfox Thanks for the reply, So it's not necessary to get a new token on every app launch. What I understood from the code mentioned above is it gets a new token every time app launches from admin apps section.