Refresh a Token
Use this API to refresh the session for a user and generate a new set of access tokens.
The authentication requirements for this request are dependent on the Token Endpoint Authentication Method that is defined on an OpenId Connect application.
- Basic - Client ID and Client Secret are required in the Authorization header.
- POST - Client ID and Client Secret are required in the request body.
- None (PKCE) - Client ID is required in the request body. Do not include Client Secret.
Resource URL
https://<subdomain>.onelogin.com/oidc/2/token
Header Parameter
Authorization string |
Required if Token Endpoint Authentication Method is set to Basic Set to The e.g. Using Node.js this would be
|
Content-Type required string | application/x-www-form-urlencoded |
Resource Parameter
subdomain required string |
Set to the e.g. |
Request Parameter
grant_type required string |
Set to “refresh_token” |
refresh_token required string |
Set this to the |
client_id string |
The OneLogin generated Client ID for your OpenID Connect app. Required if Token Endpoint Authentication method is set to POST or none (PKCE). |
client_secret string |
The OneLogin generated Client Secret for your OpenID Connect app. Required if Token Endpoint Authentication method is set to POST. |
Sample Request Body
refresh_token=xxxxx&grant_type=refresh_token
Sample Response
- 200 OK
- 400 Bad Request
- 401 Unauthorized
{
"access_token": "ZTUxMWY5OGUtMGRlYi00ZTNkLThjYWEtYzkzY2U4NDVmMmM5gt4dEytSyyNvsA4wragMwLMTa...",
"expires_in": 3600,
"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkpSY080bnhzNWpnYzhZZE43STJoTE80V...",
"refresh_token": "ZWM0MTI1NzktNjE1My00OTRkLWE2OWMtMWFmOGRlNzA1ZDQ2LqQ6dEuxfqsf9....",
"token_type": "Bearer"
}
Probably an invalid client_id
{
"error": "invalid_request",
"error_description": "Resource not found"
}
The grant_type
MUST be set to refresh_token
{
"error": "unsupported_grant_type",
"error_description": "unsupported grant_type requested (xxxx)"
}
The authorization header is invalid
{
"error": "invalid_request",
"error_description": "invalid authorization header value format"
}
{
"error": "invalid_request",
"error_description": "Authentication Failed"
}
{
"error": "invalid_request",
"error_description": "User is locked. Access is unauthorized"
}
{
"error": "invalid_request",
"error_description": "User is suspended. Access is unauthorized"
}
{
"error": "invalid_request",
"error_description": "Access is unauthorized"
}
Response Elements
access_token |
The token that represents the session that has just been created for the user. |
expires_in |
The number of seconds until the session expires |
id_token |
A JWT containing user and scope information for this session |
refresh_token |
The token that should be used to refresh the session again |
token_type |
The type of access token. Always set to “Bearer” |
Sample Code
cURL
Replace sample values indicated by < >
with your actual values.
curl -XPOST "https://<subdomain>.onelogin.com/oidc/2/token" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token&refresh_token=<refresh token>"
Postman Collection
Replace sample variables indicated by {{ }}
with your actual values.
Download for the OpenId Connect API
Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.