Rotate a refresh token, returning a fresh access + refresh pair. Reuse of a consumed token burns the whole session family (theft response).
POST
End-user session operationId: refresh/v1/sessions/refresh Authorization
Called from the browser with the publishable application id (x-application-id); the access token lives in memory.
Request body · required
refresh_tokenstring requiredThe opaque refresh token from the previous issue/refresh.
Responses
200 Rotated
{
"data": {
"aal": 0,
"access_token": "string",
"expires_in": 0,
"refresh_token": "string",
"session_id": "018f3c4a-7b2e-7c1d-9e0a-1f2b3c4d5e6f",
"token_type": "string"
},
"error": {
"code": "string",
"message": "string"
},
"meta": {
"timestamp": "string"
},
"success": false
} 401 Invalid, expired, or reused refresh token
Request
curl -X POST "http://localhost:8080/v1/sessions/refresh" \
-H "Content-Type: application/json" \
-d '{
"refresh_token": "string"
}'Try it
live requestPOST
http://localhost:8080/v1/sessions/refresh