Refresh a Token
Use this API to refresh the session for a user and generate a new set of access tokens.
The authentication requirements for this request are dependent on the Token Endpoint Authentication Method that is defined on an OpenId Connect application.
- Basic - Client ID and Client Secret are required in the Authorization header.
- POST - Client ID and Client Secret are required in the request body.
- None (PKCE) - Client ID is required in the request body. Do not include Client Secret.
Resource URL
https://<subdomain>.onelogin.com/oidc/2/tokenHeader Parameter
Authorization string |
Required if Token Endpoint Authentication Method is set to Basic Set to The e.g. Using Node.js this would be |
Content-Type required string | application/x-www-form-urlencoded |
Resource Parameter
subdomain required string |
Set to the e.g. |
Request Parameter
grant_type required string |
Set to “refresh_token” |
refresh_token required string |
Set this to the |
client_id string |
The OneLogin generated Client ID for your OpenID Connect app. Required if Token Endpoint Authentication method is set to POST or none (PKCE). |
client_secret string |
The OneLogin generated Client Secret for your OpenID Connect app. Required if Token Endpoint Authentication method is set to POST. |
Sample Request Body
refresh_token=xxxxx&grant_type=refresh_tokenSample Response
- 200 OK
- 400 Bad Request
- 401 Unauthorized
{
"access_token": "ZTUxMWY5OGUtMGRlYi00ZTNkLThjYWEtYzkzY2U4NDVmMmM5gt4dEytSyyNvsA4wragMwLMTa...",
"expires_in": 3600,
"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkpSY080bnhzNWpnYzhZZE43STJoTE80V...",
"refresh_token": "ZWM0MTI1NzktNjE1My00OTRkLWE2OWMtMWFmOGRlNzA1ZDQ2LqQ6dEuxfqsf9....",
"token_type": "Bearer"
}Probably an invalid client_id
{
"error": "invalid_request",
"error_description": "Resource not found"
}The grant_type MUST be set to refresh_token
{
"error": "unsupported_grant_type",
"error_description": "unsupported grant_type requested (xxxx)"
}The authorization header is invalid
{
"error": "invalid_request",
"error_description": "invalid authorization header value format"
}{
"error": "invalid_request",
"error_description": "Authentication Failed"
}{
"error": "invalid_request",
"error_description": "User is locked. Access is unauthorized"
}{
"error": "invalid_request",
"error_description": "User is suspended. Access is unauthorized"
}{
"error": "invalid_request",
"error_description": "Access is unauthorized"
}Response Elements
access_token |
The token that represents the session that has just been created for the user. |
expires_in |
The number of seconds until the session expires |
id_token |
A JWT containing user and scope information for this session |
refresh_token |
The token that should be used to refresh the session again |
token_type |
The type of access token. Always set to “Bearer” |
Sample Code
cURL
Replace sample values indicated by < > with your actual values.
curl -XPOST "https://<subdomain>.onelogin.com/oidc/2/token" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token&refresh_token=<refresh token>"
Postman Collection
- Clicking Run in Postman button navigates to the page where you can fork the collection to your workspace. Forking the collection into your workspace will enable you to contribute to the source collection using pull requests. You can also view the collection in a public workspace if you like and even import a copy of the collection using the links present on the screen.
Have a Question?
Found a problem or a bug? Submit a support ticket.
Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.
Have a product idea or request? Share it with us in our Ideas Portal.