Refresh Token
A refresh token is a credential artefact that allows a client application to obtain new access tokens without requiring the user to log in back. Client apps can utilize a refresh token to "refresh" access tokens once they have expired. Access tokens will only be valid for a short time for security reasons. When you get an access token, you'll get a refresh token in the response.
Resource Informations
| Name | Value | Description |
|---|---|---|
| Requires authentication? | Yes | ClientID is required for this authentication |
| Rate limited? | No | Rate limited indicate how many requests a client can make in a time period |
Request
Request headers
| Key | Value | Description |
|---|---|---|
| Content-Type | application/x-www-form-urlencoded | Method for sending name-value pairs data to the server, such as the information you typed into a HTML form. |
Request URL
POST https://{tenantId}.{hostname}/auth/realms/{tenantId}/protocol/openid-connect/token
note
API requests must be made over https. Calls made over plain http will fail.
Request body (*Required)
| Field Name | Type | Description |
|---|---|---|
| grant_type* | String | Grant Type should set to refresh_token. |
| refresh_token* | String | The refresh token to be used. Use any one of the methods listed under Create Access Token to get the refresh token. |
| client_id* | String | The refresh token will be generated for the given client. |
| client_secret | String | Secret corresponding to the given clientID. Secret will be available only for the clients with access type selected confidential during client creation. This is an optional parameter. |
Sample Request
curl --location --request POST 'https://{tenantId}.{hostname}/auth/realms/{tenantId}/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=eyJhbGc' \
--data-urlencode 'client_id=test'
Response
| Parameter Name | Type | Description |
|---|---|---|
| access_token | String | The newly created access token. |
| expires_in | Integer | Validity of the access token in seconds. |
| refresh_expires_in | Integer | Validity of the refresh token in seconds. |
| refresh_token | String | The new refresh token. |
| token_type | String | Indicates access token type. |
| not-before-policy | Integer | not-before policy ensures that any tokens issued before that time become invalid. |
| session_state | Integer | The Client ID salted cryptographic hash, the root URL, and the browser state are all included in the session state value. Basically session_state value is used to monitor end user sessions. |
| scope | String | The scope requested for the token. |
Sample Response
{
"access_token": "UIiwia2lkIiA6ICJiZTIxM",
"expires_in": 18000,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR",
"token_type": "Bearer",
"not-before-policy": 0,
"session_state": "asdasdwx-81ed-4942-ab59-6c8799171abb",
"scope": "scope"
}
Response Status Information
| Status Code | Status | Message |
|---|---|---|
| 200 | OK | OK |
| 400 | Bad Request | Invalid refresh token |
| 401 | Unauthorized | HTTP 401 Unauthorized |
| 401 | Unauthorized | Invalid client secret |
| 404 | Not Found | Realm does not exist |