Refresh Tokens
Refreshing tokens provides a new set of access and refresh tokens.
This API endpoint returns a response that includes status, which is not standard for OAuth 2.0, and which does not work with out-of-the-box OAuth 2.0 clients. We continue to support this endpoint, but recommend that for new development you use the Refresh Tokens v2 API.
Warning: Once you make this call, the existing access and refresh tokens you used to make the call will no longer work.
A refresh token is valid for 45 days after generation, as long as you have not refreshed or revoked it. So, for example, if your access token has expired, but its refresh token has not yet expired, you can use them to generate a new set of tokens (refresh tokens).
If 45 days has passed and the refresh token has expired, you’ll need to the Generate Tokens API call to generate a new set of tokens.
Resource URL
https://<subdomain>/auth/oauth2/token
Header Parameter
Content-Type required string |
Set to application/json . |
Request Parameters
grant_type required string |
Set to refresh_token . |
access_token required string |
Set to the access token that you want to refresh. |
refresh_token required string |
Set to the refresh token associated with the access token you want to refresh. This must be the refresh token that was created along with the access token by the Generate Tokens API. |
Sample Request Body
{
"grant_type": "refresh_token",
"access_token": "xx508xx63817x752xx74004x30705xx92x58349x5x78f5xx34x8x614xxxx1451",
"refresh_token": "628x9x0xx447xx4x421x517x4x474x33x2065x4x1xx523x9x9x0xxxx6x7x9320"
}
Sample Response
- 200 OK
- 400 Bad Request
- 401 Unauthorized
- 404 Not Found
{
"status": {
"error": false,
"code": 200,
"type": "success",
"message": "Success"
},
"data": [
{
"access_token": "",
"created_at": "2015-11-11T22:46:15.961Z",
"expires_in": 36000,
"refresh_token": "",
"token_type": "bearer"
}
]
}
Here are a few different errors that will return a 400 Bad Request
status code:
{
"status": {
"error": true,
"code": 400,
"type": "bad request",
"message": "Content Type is not specified or specified incorrectly.
Content-Type header must be set to application/json"
}
}
{
"status": {
"error": true,
"code": 400,
"type": "bad request",
"message": "grant_type is incorrect/absent"
}
}
{
"status": {
"error": true,
"code": 400,
"type": "bad request",
"message": "Access token cannot be refreshed. Please re-authenticate"
}
}
{
"status": {
"error": true,
"code": 401,
"type": "Unauthorized",
"message": "Invalid Token"
}
}
Here are a few different errors that will return a 404 Not Found
status code.
{
"status": {
"error": true,
"code": 404,
"type": "not found",
"message": "Refresh Token could not be found"
}
}
Typically, the following 404 Not Found: No Route Exists
error means that you are using the incorrect method. If you receive this error, ensure that you are making a POST.
{
"status": {
"error": true,
"code": 404,
"type": "not found",
"message": "No Route Exists"
}
}
Postman Collection
Replace sample variables indicated by < >
in the sample request body with your actual values. Also, be sure to set Postman-specific environment variables indicated by {{ }}
.
Download for the OAuth 2.0 Tokens API
Sample Code
cURL
Replace sample values indicated by < >
with your actual values.
curl 'https://<subdomain>/auth/oauth2/token' \
-X POST \
-H "Authorization: client_id:<client_id>, client_secret:<client_secret>>" \
-H "Content-Type: application/json" \
-d '{
"grant_type":"refresh_token",
"access_token":"<access_token>",
"refresh_token":"<refresh_token>"
}'
Python
See Work with OAuth 2.0 Tokens, Users, and Roles.
Have a Question?
Found a problem or a bug? Submit a support ticket.
Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.
Have a product idea or request? Share it with us in our Ideas Portal.