Discussions

Ask a Question
Back to all

Issue Refreshing Candis Tokens for Multiple Organizations

(edited)

Hi everyone,

I’m running into a problem with the Candis API regarding token refresh for multiple organizations. Here’s the situation:

I have 18 different organizations, each with its own access and refresh tokens. I obtain the tokens using the standard OAuth2 flow: first, I get an authorization code via the GET request here "https://my.candis.io/authentication_code", then exchange it for tokens with a POST request. Here’s a simplified snippet of how I do it:

# Step 1: Get authorization code
# ... build URL and open in browser ...

# Step 2: Exchange code for token
response = requests.post(
    TOKEN_URL,
    data={...},
    auth=HTTPBasicAuth(CLIENT_ID, CLIENT_SECRET)
)
tokens = response.json()

In Airflow, I’m trying to refresh all tokens periodically. I have a DAG that loops over each organization’s variable and uses its refresh token to get a new access token.

for var_name in CANDIS_VAR_NAMES:
    token_data = json.loads(Variable.get(var_name))
    refresh_token = token_data.get("refresh_token")
    
    payload = {
        "grant_type": "refresh_token",
        "refresh_token": refresh_token
    }
    
    r = requests.post(TOKEN_URL, data=payload, auth=HTTPBasicAuth(client_id, client_secret))
    new_data = r.json()
    Variable.set(var_name, json.dumps({
        "access_token": new_data["access_token"],
        "refresh_token": new_data["refresh_token"]
    }))
		time.sleep(10)


The problem:

When I refresh the tokens, sometimes they do not match the organization I intended — the returned token may be for a different organization. I’m not sure if this is an issue with my refresh flow or if Candis requires separate authorization for each organization every time.

Questions:

Is there a way to obtain a single token that can access all organizations, instead of managing 18 separate tokens?

For example, this is the Airflow log, all tokens are being refreshed for the first schweiz organisation.

`[2026-02-16, 17:14:43 CET] {logging_mixin.py:188} INFO - ✅ candis_token_schweiz_ag refreshed and updated.
[2026-02-16, 17:14:53 CET] {logging_mixin.py:188} INFO - Refreshing tokens for: candis_token_belgium_bv...
[2026-02-16, 17:14:53 CET] {logging_mixin.py:188} INFO - ✅ candis_token_belgium_bv refreshed and updated.

...

If not, is there a recommended approach to reliably refresh tokens for multiple organizations without them “mixing up”?

Any guidance or best practices would be greatly appreciated.

Thanks in advance!