Skip to main content
POST
/
api
/
auth
/
refresh-token
Refresh Token
curl --request POST \
  --url https://api.example.com/api/auth/refresh-token \
  --header 'Content-Type: application/json' \
  --data '
{
  "refreshToken": "<string>"
}
'
{
  "accessToken": "<string>",
  "refreshToken": "<string>",
  "expiresIn": 123,
  "requiresPasswordChange": true
}
Exchanges a Cognito refresh token for a new access token and ID token. Use this endpoint to maintain an authenticated session without requiring the user to log in again.

Authentication

This is a public endpoint that does not require authentication. However, you must provide a valid refresh token obtained from a previous login.

Rate Limiting

This endpoint is rate-limited to 5 requests per minute per IP address.

Request Body

refreshToken
string
required
Cognito refresh token obtained from a previous login responseThis is the long-lived token returned by /api/auth/login.Example: eyJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBLU9BRVAifQ...

Request Example

curl -X POST https://api.example.com/api/auth/refresh-token \
  -H "Content-Type: application/json" \
  -d '{
    "refreshToken": "eyJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBLU9BRVAifQ..."
  }'

Response

Success Response (200 OK)

accessToken
string
New Cognito JWT access tokenUse this token in the Authorization: Bearer <token> header for authenticated requests.
refreshToken
string
The same refresh token that was provided in the requestCognito does not issue a new refresh token on refresh, so the original token is returned.
expiresIn
number
Token expiration time in secondsTypically 3600 (1 hour).
requiresPasswordChange
boolean
Always false for refresh token responses
{
  "accessToken": "eyJraWQiOiJxYz...",
  "refreshToken": "eyJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBLU9BRVAifQ...",
  "expiresIn": 3600,
  "requiresPasswordChange": false
}

Error Responses

401 Unauthorized
Invalid or expired refresh tokenThe refresh token is malformed, expired, or has been revoked.
{
  "statusCode": 401,
  "message": "Invalid or expired refresh token",
  "error": "Unauthorized"
}
429 Too Many Requests
Rate limit exceeded — More than 5 requests in 1 minute
{
  "statusCode": 429,
  "message": "Too many requests",
  "error": "Too Many Requests"
}

Notes

  • Refresh tokens are long-lived and remain valid until explicitly revoked
  • Cognito does not rotate refresh tokens automatically—the same refresh token can be used multiple times
  • Access tokens expire after 1 hour, so refresh them before they expire to maintain a seamless user experience
  • If the refresh token is expired or invalid, the user must log in again using /api/auth/login

Build docs developers (and LLMs) love

Get started for freeTalk to us