The accesstoken is used to handle access to instances and is an easy way to handle security.

A session using an accesstoken can be established like:

// Generate the object.
$token = new Accesstoken();
// Generate an unique token code within the object.
$token->generateTokenCode();
// Select when the token expires
$timestamp = new Timestamp('now');
// We expire it in ten minutes.
$accesstoken->expire_date = $timestamp->add(10*60);
// Save it for later reference.
$token->save();
// Write the token code to the session
$token->setSession();

This is boiled into a number of methods.

$token = Accesstoken::acquireAnonymous(60*60);

The code above acquires an access token which isn't associated with any user, and lasts for one hour.

To associate an access token with a user, this is done like:

$user = new User();
$user->loadForRead($some_user_id)
$token = Accesstoken::acquire($user);

To check for a valid access token, do one of the following:

if (! Accesstoken::validateSession()) die('You aren\'t logged in, or your login expired');
 
Accesstoken::validateSession('/url-to-not-logged-in');
 
// The options below will cause a successful validation to make the session valid for ten more minutes.
Accesstoken::validateSession('/url-to-not-logged-in', true, 600);

If you make a check like above and redirect the user to a login-page, you can afterwards call the resumeLocation()-function to return the user to the place where the check failed.

Logout can be performed like:

Accesstoken::destroySession();

This will destroy the entire PHP $_SESSION variable. To only destroy the Platform login session information, pass false to the function.