The IQ Gateway authentication is done entirely offline - but you do have to have a device online (laptop, pi, mobile etc) to obtain a JWT to present to it.
Installer tokens are 12 hours, Owner tokens are a year. Some endpoints are only accessible with roles higher than Owner however, see https://github.com/Matthew1471/Enphase-API/blob/main/Documen.... for my scripts (available as the "examples") they're set to renew the tokens automatically where required.
It is about as sensible a design as you could come up with while still tying the access to be gated by the manufacturer. I still don't really get why it's done this way: the stated reason of security against a previous owner of the system doesn't make sense: this can more easily be accomplished by being able to reset the password.
(As an aside, assuming the system gets its time from NTP, I wonder if you could extend a token's access time indefinitely by returning a looping timestamp from a local server)
(As an aside, assuming the system gets its time from NTP, I wonder if you could extend a token's access time indefinitely by returning a looping timestamp from a local server)