POST
/User/RefreshToken
When to Use
- Renew expired or near-expiry access tokens without re-authentication
- Maintain continuous API access for long-running processes
- Implement token rotation security practices
- Avoid service interruption due to token expiration
Prerequisites
- Valid refresh token obtained from previous login or refresh operation
- Refresh token must not be expired (typically 30-day lifetime)
- Understanding of token lifecycle and rotation security
- Secure storage of refresh tokens in your application
Considerations
⚠️ Token Refresh Requirements
- Authorization Required: Must include current access token in Authorization header - refresh token alone is insufficient
- Token Revocation: Previous access token is automatically revoked when new tokens are issued
- Refresh Token Rotation: New refresh token is issued with each refresh operation - update stored tokens accordingly
- Session Extension: Refresh tokens before access token expiration to maintain uninterrupted API access
Description
Exchanges a valid refresh token for new access and refresh tokens, extending the authentication session without requiring username/password re-entry. This endpoint supports token rotation security practices by optionally issuing new refresh tokens alongside new access tokens.
Token Refresh Flow
- Submit current refresh token from secure storage
- System validates refresh token authenticity and expiration
- Issues new access token with fresh expiration time
- Optionally issues new refresh token for enhanced security
- Update stored tokens in your application
Required Headers
Requires Authorization Header: Must include current (expiring) access token in Authorization header as "Bearer {token}". Refresh token provided in request body is used to generate new tokens after validating current access token.
| Header | Value | Description |
|---|---|---|
| Authorization | Bearer {accessToken} | Current access token (required for validation) |
| Content-Type | application/json | Request content type |
| Version | 2.0 | API version identifier |
Request Body
| Parameter | Type | Required | Description |
|---|---|---|---|
refreshToken |
string(255) | Valid refresh token for session extension. |
refreshToken
Valid refresh token for session extension.
Refresh Token Security
- Store refresh tokens securely using encrypted storage or secure vaults
- Never expose refresh tokens in client-side code or logs
- Implement secure token rotation by updating stored refresh tokens
- Monitor for invalid refresh token attempts as security indicators
- Clear stored tokens on user logout or security events
Example Requests
json
{
"refreshToken": "refreshToken"
}Response Examples
json
{
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1laWRlbnRpZmllciI6InRlc3R1c2VyIiwiVXNlcklEIjoiMTIzIiwiSW5zdGFuY2VJRCI6IjEiLCJSb2xlcyI6Ilt7XCJSSURcIjoxLFwiQklEXCI6MTAwLFwiUElEXCI6NX1dIiwiZXhwIjoxNzQwMDAwMDAwLCJpc3MiOiJodHRwczovLzdnLmNvbS5hdSIsImF1ZCI6IlB1YmxpYyJ9.signature",
"refreshToken": "A8c7B9d2E1f4G6h5I3j8K0l9M7n4O2p1Q5r8S3t6U4v7W1x9Y2z5"
}