Android C2DM Auth token, one time or every time

Question

I am outlining my plan to implement C2DM into an application and have a basic (read: stupid) question about the Auth tokens.

The client server needs to register with the google c2dm service using the white listed account:

For testing:

curl https://www.google.com/accounts/ClientLogin -d Email=theEmailYouWhitelisted -d Passwd=pass****word -d accountType=HOSTED_OR_GOOGLE -d source="your_app_name_and_ver_for_logging_purposes_only" -d service=ac2dm

My question is, does this happen once per application per c2dm account - ie: get the one server generated auth code using your whitelisted account, store it, then every time a message gets sent retrieve it and use:

curl --header "Authorization: GoogleLogin auth=**authFromRegistrationAbove**" "https://android.apis.google.com/c2dm/send" -d registration_id=**phoneRegistrationId(reciever)** -d "data.message=StringToPass" -d collapse_key=something -k

Or do you have to request a new Auth code for every message being pushed?

Answer 1

Store the auth token for future pushes. From the Google C2DM page:

Able to store the ClientLogin Auth token and client registration IDs. The ClientLogin Auth token is included in the header of POST requests that send messages. For more discussion of this topic, see ClientLogin for Installed Applications. The server should store the token and have a policy to refresh it periodically.

Also note that Google will periodically refresh the token in an Update-Client-Auth header. See this discussion on the android-c2dm group for details.

From my experience, I can't tell when or why Google chooses to refresh the token. It's happened to me as frequently as every day, and sometimes it's every week.