See api-docs Menu

Refresh Tokens

Refreshing tokens provides a new set of access and refresh tokens.

This API endpoint returns a response that includes status, which is not standard for OAuth 2.0, and which does not work with out-of-the-box OAuth 2.0 clients. We continue to support this endpoint, but recommend that for new development you use the Refresh Tokens v2 API.

Warning: Once you make this call, the existing access and refresh tokens you used to make the call will no longer work.

A refresh token is valid for 45 days after generation, as long as you have not refreshed or revoked it. So, for example, if your access token has expired, but its refresh token has not yet expired, you can use them to generate a new set of tokens (refresh tokens).

If 45 days has passed and the refresh token has expired, you’ll need to the Generate Tokens API call to generate a new set of tokens.

Resource URL

https://api.<us_or_eu>.onelogin.com/auth/oauth2/token

Header Parameter

Content-Type

required

string

Set to application/json.

Request Parameters

grant_type

required

string

Set to refresh_token.

access_token

required

string

Set to the access token that you want to refresh.

refresh_token

required

string

Set to the refresh token associated with the access token you want to refresh.

This must be the refresh token that was created along with the access token by the Generate Tokens API.

Sample Request Body

{
   "grant_type": "refresh_token",
   "access_token": "xx508xx63817x752xx74004x30705xx92x58349x5x78f5xx34x8x614xxxx1451",
   "refresh_token": "628x9x0xx447xx4x421x517x4x474x33x2065x4x1xx523x9x9x0xxxx6x7x9320"
}

Sample Response

{
    "status": {
        "error": false,
        "code": 200,
        "type": "success",
        "message": "Success"
    },
    "data": [
        {
            "access_token": "",
            "created_at": "2015-11-11T22:46:15.961Z",
            "expires_in": 36000,
            "refresh_token": "",
            "token_type": "bearer"
        }
    ]
}

Here are a few different errors that will return a 400 Bad Request status code:

{
    "status": {
        "error": true,
        "code": 400,
        "type": "bad request",
        "message": "Content Type is not specified or specified incorrectly. 
                    Content-Type header must be set to application/json"
    }
}

{
    "status": {
        "error": true,
        "code": 400,
        "type": "bad request",
        "message": "grant_type is incorrect/absent"
    }
}

{
    "status": {
        "error": true,
        "code": 400,
        "type": "bad request",
        "message": "Access token cannot be refreshed. Please re-authenticate"
    }
}
{
    "status": {
        "error": true,
        "code": 401,
        "type": "Unauthorized",
        "message": "Invalid Token"
    }
}

Here are a few different errors that will return a 404 Not Found status code.

{
    "status": {
        "error": true,
        "code": 404,
        "type": "not found",
        "message": "Refresh Token could not be found"
    }
}

Typically, the following 404 Not Found: No Route Exists error means that you are using the incorrect method. If you receive this error, ensure that you are making a POST.

{
    "status": {
        "error": true,
        "code": 404,
        "type": "not found",
        "message": "No Route Exists"
    }
}

Postman Collection

Replace sample variables indicated by < > in the sample request body with your actual values. Also, be sure to set Postman-specific environment variables indicated by {{ }}.

Download for the OAuth 2.0 Tokens API

Sample Code

cURL

Replace sample values indicated by < > with your actual values.

curl 'https://api.<us_or_eu>.onelogin.com/auth/oauth2/token' \
-X POST \
-H "Authorization: client_id:<client_id>, client_secret:<client_secret>>" \
-H "Content-Type: application/json" \
-d '{
    "grant_type":"refresh_token",
    "access_token":"<access_token>",
    "refresh_token":"<refresh_token>"
}'

Python

See Work with OAuth 2.0 Tokens, Users, and Roles.


Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.