Rate this page

Refresh Token Grant Type

The refresh token grant type is used to obtain a new access token using a previously obtained refresh token. This is performed server-to-server and does not involve end user interaction. Refresh tokens may only be obtained using the authorization code grant type or password grant type.

Token request

POST /oauth/token

The client uses HTTP basic authentication with its client ID and client secret to authenticate itself to the token endpoint and must specify a Content-Type of application/x-www-form-urlencoded. The following parameters are provided in the body of the request using form-urlencoding.

Parameter Required? Description
grant_type yes Value must be refresh_token.
refresh_token yes The refresh token.
scope no A space-delimited set of scope names. This may be a subset of the scopes originally requested when the refresh token was issued. If omitted, then the original set of granted scopes is used.

Scopes requested using this grant type must be of type Generic or Authenticated Identity.

Example request:

POST /oauth/token HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Authorization: Basic dGVzdDE6cGFzc3dvcmRwYXNzd29yZHBhc3N3b3JkcGFzc3dvcmQ=
Connection: keep-alive
Content-Length: 219
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Host: example.com:443

grant_type=refresh_token&scope=openid+email+offline_access&refresh_token=AXxINZiqwlLFWkS0_kG78XJRoTxyAAAAAAAAAAC8zhI7Q9fupyFr2GLMYFFPRKfC8BxSj5lepuIVr64HtTW2R5CF6392LG2hppugKd_Rhe2QwOBZ-XAdSMgSaiNVICypwNijh5LF8odapRX6fw

Token response

If the token request succeeds, the server will respond with a 200 response code.

Field Type Provided? Description
access_token string always The access token.
token_type string always The access token type. The value is always Bearer.
id_token string The ID token, if one was requested.
refresh_token string always Another refresh token.
state string The same state value provided in the authorization request.
expires_in number always A value in seconds indicating the lifetime of the access token.
scope string always A space-delimited set of the scopes actually granted.

Example response:

HTTP/1.1 200 OK
Content-Length: 409
Content-Type: application/json
Date: Mon, 18 Apr 2016 23:33:06 GMT
Pragma: no-cache
Cache-Control: no-store

{
    "access_token": "eyJraWQiOiJBY2Nlc3MgVG9rZW4gU2lnbmluZyBLZXkgUGFpciIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiJVc2Vyc1wvOTkyM2RiYjgtZTdjNi00NjlmLWI3ZGItYWY3OTMxNzc0MDQ0Iiwic2NvcGUiOiJvcGVuaWQgZW1haWwgb2ZmbGluZV9hY2Nlc3MiLCJleHAiOjE0NzUzMzczOTYsImlhdCI6MTQ3NDkwNTM5NiwiY2xpZW50X2lkIjoidGVzdDEiLCJqdGkiOiJhLjVtTWFSQSJ9.YYsGY4ZNGhzTF9zMDOHdZJ5isFPRnj0UgwHMgekwA-wU29EoFOZY92_1UGIuJLVbH5tjVmxBabmC3BC6rxDraiddSssy93IrVge7D9urjbDSS7eNLY9lx1rv2FTOkTSAMLUl6rdUYM_pndqlS0T9w_Gqmz0Krnr9yNJ6TgbUz429bhaUpHR1kpIeJwPyqpyhooSilyvfyEjymYpy19f18YCBjb_rRAc0GJqY8C3p-PexyEC4MzC6YnkCavzEm5BEZ64197lopoCPQOFDSzU3I-XTzp9hWKpc9S3kXOQ5N0MwSoNohLILAYLHqq-tC5VWTqdh6dZ7TjSUHPRCBKPN9A",
    "expires_in": 43200,
    "refresh_token": "AXpKY5sxMMSdJ6BsSLk7k909SvyUAAAAAAAAAAArP5-fT6w5dnEdReZpfrpSZ-hFAvrw75sAMdoyF_KSijRgQs1JS-iO2dZln_FGap3qc_Hv3uAeqccbINh4pXOhu1uoWAHNoxOsOMYPl-C6Dw",
    "scope": "openid email offline_access",
    "token_type": "Bearer"
}