POST
/User/RefreshToken
When to Use
- Renew expired or near-expiry access tokens without re-authentication
- Maintain continuous API access for long-running processes
- Implement token rotation security practices
- Avoid service interruption due to token expiration
Prerequisites
- Valid refresh token obtained from previous login or refresh operation
- Refresh token must not be expired (typically 30-day lifetime)
- Understanding of token lifecycle and rotation security
- Secure storage of refresh tokens in your application
Considerations
⚠️ Token Refresh Requirements
- Authorization Required: Must include current access token in Authorization header - refresh token alone is insufficient
- Token Revocation: Previous access token is automatically revoked when new tokens are issued
- Refresh Token Rotation: New refresh token is issued with each refresh operation - update stored tokens accordingly
- Session Extension: Refresh tokens before access token expiration to maintain uninterrupted API access
Description
Exchanges a valid refresh token for new access and refresh tokens, extending the authentication session without requiring username/password re-entry. This endpoint supports token rotation security practices by optionally issuing new refresh tokens alongside new access tokens.
Token Refresh Flow
- Submit current refresh token from secure storage
- System validates refresh token authenticity and expiration
- Issues new access token with fresh expiration time
- Optionally issues new refresh token for enhanced security
- Update stored tokens in your application
Required Headers
Requires Authorization Header: Must include current (expiring) access token in Authorization header as "Bearer {token}". Refresh token provided in request body is used to generate new tokens after validating current access token.
| Header | Value | Description |
|---|---|---|
| Authorization | Bearer {accessToken} | Current access token (required for validation) |
| Content-Type | application/json | Request content type |
| Version | 2.0 | API version identifier |
Request Body
| Parameter | Type | Required | Description |
|---|---|---|---|
refreshToken |
string(255) | Valid refresh token for session extension. |
refreshToken
Valid refresh token for session extension.
Refresh Token Security
- Store refresh tokens securely using encrypted storage or secure vaults
- Never expose refresh tokens in client-side code or logs
- Implement secure token rotation by updating stored refresh tokens
- Monitor for invalid refresh token attempts as security indicators
- Clear stored tokens on user logout or security events
Example Requests
json
{
"refreshToken": "refreshToken"
}Response Examples
json
{
"accessToken": "eyJxxCJ9.eyJxxxpYyJ9.8Csxx3S-jMxxnv-4Nxxfw",
"refreshToken": "cZkxxx4Y="
}