Hello,

I have some questions regarding the new authentication and authorization flow.

• What is the “refresh token per user used” for? In other words how do I even get multiple valid refresh tokens? 

If you use the ‘Re use’ option you get the same refresh-token after a refresh request in the response.
If you use the ‘On time’ option you get a new refresh-token after a ‘refresh’ request in the response, an the old one is invalidated.

Are access tokens not invalidated when you start the auth flow for the same client?

• What does the “The refresh token expiration in days” option precisely do in which scenario?

Does the slider reset after each successful refresh request or is this based on which “Refresh Token usage” option you have selected?
What use case(s) can actually invalidate your access and refresh token outside the scope of the web application itself, changing password for example?

• What can you do with the API if you have not set any other integration scopes. So the only scopes you have are “openid, email and profile”
• Is there a way you can get Company information after authorization? The Id token only has user info but I am also interested in Company info. This was always possible through the ‘context’ endpoint but this one seems to be obsolete?

I thought maybe this was possible with the “Tenants” scope you are able to select at the ‘Identity Scopes’ option, but it seems that this scope does nothing, the phone and address scope actually adds information you’re id_token.

• Do you have to integrate your web application with the visma store? In our tests you were mandatory to have to “API user” role to even start the web authentication flow if you do not have that role we were not able to select a company. Normal end users will never be able to do this easily there is always some help required to set this up, this kind a makes the Visma store other than marketing purposes a bit useless for web applications.

Thanks in advance!

Kind regards,
Michel