See api-docs Menu

Refresh Token

Refreshing tokens provides a new set of access and refresh tokens.

Deprecated

According to RFC6749 section 4.4.3 the Refresh Token should not be returned with a Client Credentials grant.

The refresh_token attribute will be removed from the Generate Token API response on 31st October 2020. As a result this Refresh Token request will not be possible hence the reason to deprecate it.

A refresh token is valid for 45 days after generation, as long as you have not refreshed or revoked it. So, for example, if your access token has expired, but its refresh token has not yet expired, you can use them to generate a new set of tokens (refresh tokens).

If 45 days has passed and the refresh token has expired, you’ll need to use the Generate Tokens v2 API call to generate a new set of tokens.

Resource URL

https://<subdomain>/auth/oauth2/v2/token

Header Parameter

Content-Type

required

string

Set to application/json.

Request Parameters

grant_type

required

string

Set to refresh_token.

access_token

required

string

Set to the access token that you want to refresh.

refresh_token

required

string

Set to the refresh token associated with the access token you want to refresh.

This must be the refresh token that was created along with the access token by the Generate Tokens v2 API.

Sample Request Body

{
   "grant_type": "refresh_token",
   "access_token": "xx508xx63817x752xx74004x30705xx92x58349x5x78f5xx34x8x614xxxx1451",
   "refresh_token": "628x9x0xx447xx4x421x517x4x474x33x2065x4x1xx523x9x9x0xxxx6x7x9320"
}

Sample Response


{
    "access_token": "",
    "created_at": "2015-11-11T22:46:15.961Z",
    "expires_in": 36000,
    "refresh_token": "",
    "token_type": "bearer"
}

Here are a few different errors that will return a 400 Bad Request status code:

{
    "status": {
        "error": true,
        "code": 400,
        "type": "bad request",
        "message": "Content Type is not specified or specified incorrectly.
                    Content-Type header must be set to application/json"
    }
}

{
    "status": {
        "error": true,
        "code": 400,
        "type": "bad request",
        "message": "grant_type is incorrect/absent"
    }
}

{
    "status": {
        "error": true,
        "code": 400,
        "type": "bad request",
        "message": "Access token cannot be refreshed. Please re-authenticate"
    }
}
{
    "status": {
        "error": true,
        "code": 401,
        "type": "Unauthorized",
        "message": "Invalid Token"
    }
}

Here are a few different errors that will return a 404 Not Found status code.

{
    "status": {
        "error": true,
        "code": 404,
        "type": "not found",
        "message": "Refresh Token could not be found"
    }
}

Typically, the following 404 Not Found: No Route Exists error means that you are using the incorrect method. If you receive this error, ensure that you are making a POST.

{
    "status": {
        "error": true,
        "code": 404,
        "type": "not found",
        "message": "No Route Exists"
    }
}

Postman Collection

Replace sample variables indicated by < > in the sample request body with your actual values. Also, be sure to set Postman-specific environment variables indicated by {{ }}.

Download for the OAuth 2.0 Tokens API version 2

Sample Code

cURL

Replace sample values indicated by < > with your actual values.

curl 'https://<subdomain>/auth/oauth2/v2/token' \
-X POST \
-H "Authorization: client_id:<client_id>, client_secret:<client_secret>>" \
-H "Content-Type: application/json" \
-d '{
    "grant_type":"refresh_token",
    "access_token":"<access_token>",
    "refresh_token":"<refresh_token>"
}'

Python

See Work with OAuth 2.0 Tokens, Users, and Roles.


Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.