Refresh Token Flow


The refresh token flow is used when the client application already has a copy of a user’s refresh token, and needs to periodically obtain a new access token. This is useful when implementing background activities that need to access resources in an automated way (e.g., syncing data).

Protocol


Unlike an access token, refresh tokens don’t expire (although they can be revoked by the user). As such, the refresh token should only be used in secure settings. Here’s some example Javascript that shows how to initiate the flow.

request.post({
    url: '1.2.3.4:8080/token',
    qs:  { 'refresh_token' : refresh_token,
           'client_id' : CLIENT_ID,
           'client_secret': CLIENT_SECRET,
           'grant_type': 'refresh_token'}});

If successful, the response will be a JSON object:

{
   "access_token": "axb2y-...",
   "expires_in":3600,
   "token_type":"Bearer"
}

In the case of an error, you will receive a JSON object with a status code 400 (or above) with the following structure:

{
   "error": "invalid_refresh_token",
   "error_description": "Invalid refresh token"
}