Reference / Sessions

Rotate a refresh token, returning a fresh access + refresh pair. Reuse of a consumed token burns the whole session family (theft response).

POST /v1/sessions/refresh
End-user session operationId: refresh

Authorization

Called from the browser with the publishable application id (x-application-id); the access token lives in memory.

Request body · required

  • refresh_token string required

    The opaque refresh token from the previous issue/refresh.

Responses

200 Rotated
{
  "data": {
    "aal": 0,
    "access_token": "string",
    "expires_in": 0,
    "refresh_token": "string",
    "session_id": "018f3c4a-7b2e-7c1d-9e0a-1f2b3c4d5e6f",
    "token_type": "string"
  },
  "error": {
    "code": "string",
    "message": "string"
  },
  "meta": {
    "timestamp": "string"
  },
  "success": false
}
401 Invalid, expired, or reused refresh token

Request

curl -X POST "http://localhost:8080/v1/sessions/refresh" \
  -H "Content-Type: application/json" \
  -d '{
  "refresh_token": "string"
}'

Try it

live request
POST http://localhost:8080/v1/sessions/refresh

Request body

application/json