You may be wondering to yourself, how does Shine even work with Google Calendar anyway? What’s the process behind it? Is there anything I should be scared of?
Well, if you are wondering these things, you’ve arrived in the right place! … And hopefully it’ll prove to not be that scary. 😀
How Connections Happen
Most of the time, when one online service wants to connect to another, or a desktop or mobile app wants to connect to an online service, there’s a common process they all go through.
This process is specified and handled through something called “OAuth 2.0” and it’s biggest goal is to allow different apps and services to work together, as long as they have your permission, and to do it in a way that still keeps you safe.
Google Calendar is no exception.
When you click that “Add a Google Account…” button in Shine Calendar, Shine begins the OAuth 2.0 process. It involves a hand-off between you, Google, and Shine.
First, Google will ask you if you want to allow Shine to access your account. It will include a list of the things of permissions, such as access to your calendars (something a calendar app miiiiight need). You tell Google “allow” or “disallow” from there.
If you allow it, Google will go back to Shine and give it this special number called an access token. Shine will then take this access token, store it on your device, and then things are ready to go!
You’ll notice that Shine itself doesn’t actually ask you for your password; you may have to log in through your web browser, but Shine itself doesn’t ever see or know your password. This is because all communication between Shine and your Google account occurs solely using this access token.
Receiving and Sending Data
“So how does this access token thing even do anything?” you may ask.
As noted above, an access token is just a special number. But this number is not just special, it’s really big and really unique. Every single time any app or website is allowed access to any Google account, they’re given a new, unique number. No one access token is alike. The one that Shine stores is unique for only Shine to access only your Google account.
Whenever Shine wants to do anything on your behalf in Google Calendar, such as creating a new event or viewing all of the events you have coming up next week, it’ll send a request to Google to do just that, and will also include a copy of this access token in its request.
Google keeps a list somewhere in there of all the access tokens it’s given and the accounts and apps they correspond to. When Google receives this request from Shine, they look at the access token, find out which account it’s for, check to see if Shine has permission, and then they go into that account and do what Shine requested. This all happens automatically and in almost no time, every time you do something like look at your schedule tomorrow or update that meeting time.
Nothing Lasts Forever
Access tokens aren’t some unlimited, forever-and-ever, free tickets to your account.
As a security feature, when Google gives Shine an access token, it also tells Shine how long this token will last until Shine will need to ask for a new one. The length of time it works is something that Google decides and Shine gets no say in; after a certain point, however, the time is up, and the token becomes expired.
After this point, the next time that Shine attempts to send a request to Google, it will notice the expired access token and ask Google for a new one first. As long as you keep allowing Shine permission to your account, Google will keep providing it access tokens.
Let’s say, however, that one day, you decide to disconnect Shine from your Google account. How exactly this goes down depends upon how you do it:
If you go into your Google account settings and remove Shine’s permissions to your account, Google will go ahead and delete the access token from its side. The next time that Shine attempts to access your Google account, it’ll send a request with the access token and Google will send back an error, saying that they don’t have a record of this token (anymore).
(At this point, Shine will show this error to you, and then will go ahead and delete the access token on its end.)
If you go into Shine’s options and disconnect your Google account, Shine will delete the access token on its end, and will just simply not connect to your Google account anymore. Google may still have this access token stored somewhere, but nothing’s going to be sending requests to them with it anymore.
Can I see my access token?
Simply put, no.
Honestly, it wouldn’t really mean anything to you if you did. To us humans, this access token will just look like a random jumble of letters, symbols, and numbers. It’s not really anything that exciting.
Besides, there’s security reasons why Shine wouldn’t want to show you your token anyway. If someone malicious found the access token, they could take it and use it in their own app. This app would be able to impersonate Shine and access your account. I don’t think you want that.