Refresh Token
Refreshing tokens provides a new set of access and refresh tokens.
Deprecated
According to RFC6749 section 4.4.3 the Refresh Token should not be returned with a Client Credentials grant.
The refresh_token attribute will be removed from the Generate Token API response on 31st October 2020. As a result this Refresh Token request will not be possible hence the reason to deprecate it.
A refresh token is valid for 45 days after generation, as long as you have not refreshed or revoked it. So, for example, if your access token has expired, but its refresh token has not yet expired, you can use them to generate a new set of tokens (refresh tokens).
If 45 days has passed and the refresh token has expired, you’ll need to use the Generate Tokens v2 API call to generate a new set of tokens.
Resource URL
https://<subdomain>/auth/oauth2/v2/tokenHeader Parameter
Content-Type required string |
Set to application/json. |
Request Parameters
grant_type required string |
Set to refresh_token. |
access_token required string |
Set to the access token that you want to refresh. |
refresh_token required string |
Set to the refresh token associated with the access token you want to refresh. This must be the refresh token that was created along with the access token by the Generate Tokens v2 API. |
Sample Request Body
{
"grant_type": "refresh_token",
"access_token": "xx508xx63817x752xx74004x30705xx92x58349x5x78f5xx34x8x614xxxx1451",
"refresh_token": "628x9x0xx447xx4x421x517x4x474x33x2065x4x1xx523x9x9x0xxxx6x7x9320"
}Sample Response
- 200 OK
- 400 Bad Request
- 401 Unauthorized
- 404 Not Found
{
"access_token": "",
"created_at": "2015-11-11T22:46:15.961Z",
"expires_in": 36000,
"refresh_token": "",
"token_type": "bearer"
}
Here are a few different errors that will return a 400 Bad Request status code:
{
"status": {
"error": true,
"code": 400,
"type": "bad request",
"message": "Content Type is not specified or specified incorrectly.
Content-Type header must be set to application/json"
}
}{
"status": {
"error": true,
"code": 400,
"type": "bad request",
"message": "grant_type is incorrect/absent"
}
}{
"status": {
"error": true,
"code": 400,
"type": "bad request",
"message": "Access token cannot be refreshed. Please re-authenticate"
}
}{
"status": {
"error": true,
"code": 401,
"type": "Unauthorized",
"message": "Invalid Token"
}
}Here are a few different errors that will return a 404 Not Found status code.
{
"status": {
"error": true,
"code": 404,
"type": "not found",
"message": "Refresh Token could not be found"
}
}Typically, the following 404 Not Found: No Route Exists error means that you are using the incorrect method. If you receive this error, ensure that you are making a POST.
{
"status": {
"error": true,
"code": 404,
"type": "not found",
"message": "No Route Exists"
}
}Postman Collection
- Clicking Run in Postman button navigates to the page where you can fork the collection to your workspace. Forking the collection into your workspace will enable you to contribute to the source collection using pull requests. You can also view the collection in a public workspace if you like and even import a copy of the collection using the links present on the screen.
Sample Code
cURL
Replace sample values indicated by < > with your actual values.
curl 'https://<subdomain>/auth/oauth2/v2/token' \
-X POST \
-H "Authorization: client_id:<client_id>, client_secret:<client_secret>>" \
-H "Content-Type: application/json" \
-d '{
"grant_type":"refresh_token",
"access_token":"<access_token>",
"refresh_token":"<refresh_token>"
}'Python
See Work with OAuth 2.0 Tokens, Users, and Roles.
Have a Question?
Found a problem or a bug? Submit a support ticket.
Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.
Have a product idea or request? Share it with us in our Ideas Portal.