Using a Refresh Token

An access token is valid for a short period for secrity purposes. Once they expire, client applications can use a refresh token to retrieve a new access token.

Access tokens expire after 30 minutes.
Refresh tokens expire after 14 days.

A refresh token is a credential artefact that lets a client application get new access tokens without asking for the user credentials again. As part of the OAuth security concept, the refresh token prevents excessive transmission of user credentials that lower security, as more requests offer more attack opportunities.


Endpoint This endpoint creates tokens valid for the production environment. This is the environment where standard clients do all the work.
Method POST


Header Content-Type: application/x-www-form-urlencoded


Form values

 grant_type: refresh_token
 client_id: integration-api
 refresh_token: _REFRESH_TOKEN_

Use the _REFRESH_TOKEN_ from the initial access token request (1FA or 2FA) to retrieve the subsequent access token.

You can find the refresh token at the JSON path $.refresh_token


    "access_token": "ACCESS_TOKEN",
    "expires_in": JAVA_TIMESTAMP,
    "refresh_expires_in": 1209600,
    "refresh_token": "REFRESH_TOKEN",
    "token_type": "bearer",
    "not-before-policy": JAVA_TIMESTAMP,
    "session_state": "UUID",


The response contains the access token at JSON path $.access_token. For security reasons never share the access token or the refresh token found at the JSON path $.refresh_token.

You can use the access token as a bearer authentication header for subsequent API calls.

Authentication:Bearer ACCESS_TOKEN

Default expiration time: 1800 sec.

The value 1209600 is the time left to expire (start value), in seconds.


Was this article helpful?



Article is closed for comments.

Still have questions?

Please submit a request and we will get back to you shortly.

Submit a ticket