Skip to main content
GET
/
intern
/
refresh
curl -X GET https://api.demet.com/intern/refresh \
  -b cookies.txt \
  -c cookies.txt

{
  "message": "Access token renovado"
}

Overview

This endpoint renews the access token using a valid refresh token stored in cookies. When the access token expires, call this endpoint to obtain a new one without requiring the user to log in again.

Authentication

Requires a valid refresh_token cookie. This cookie is automatically set during login.

Request

No request body or parameters required. The refresh token is automatically read from the refresh_token cookie.

Response

message
string
Success message confirming the access token has been renewed

Cookies Updated

access_token
string
A new JWT access token is set in cookies, replacing the expired one.Cookie Settings:
  • httpOnly: false
  • secure: true
  • sameSite: none
curl -X GET https://api.demet.com/intern/refresh \
  -b cookies.txt \
  -c cookies.txt

{
  "message": "Access token renovado"
}

Token Refresh Flow

  1. Access Token Expires: Client detects 401 Unauthorized on API requests
  2. Request New Token: Client calls the refresh endpoint
  3. Validate Refresh Token: Server verifies the refresh token from cookies
  4. Generate New Access Token: Server creates a new access token with same user claims
  5. Update Cookie: New access token is sent back via cookie
  6. Retry Original Request: Client retries the failed request with new token

How It Works

Implementation Example

Here’s how to implement automatic token refresh in a client application: 
class ApiClient {
  async request(url, options = {}) {
    try {
      // Try the original request
      let response = await fetch(url, {
        ...options,
        credentials: 'include'
      });
      
      // If unauthorized, try refreshing the token
      if (response.status === 401) {
        console.log('Access token expired, refreshing...');
        
        const refreshResponse = await fetch(
          'https://api.demet.com/intern/refresh',
          { method: 'GET', credentials: 'include' }
        );
        
        if (refreshResponse.ok) {
          console.log('Token refreshed, retrying request...');
          // Retry the original request with new token
          response = await fetch(url, {
            ...options,
            credentials: 'include'
          });
        } else {
          // Refresh failed, redirect to login
          console.log('Refresh failed, redirecting to login...');
          window.location.href = '/login';
          return;
        }
      }
      
      return response;
    } catch (error) {
      console.error('Request failed:', error);
      throw error;
    }
  }
}

// Usage
const client = new ApiClient();
const response = await client.request('https://api.demet.com/intern/get');
const data = await response.json();

Error Handling

Status CodeErrorAction
401Refresh token not foundUser must log in again
400Token invalid or expiredUser must log in again
200SuccessContinue with new access token

Security Notes

  • Refresh tokens have a longer lifetime than access tokens
  • The refresh token is validated using JWT verification
  • If the refresh token is invalid or expired, the user must log in again
  • Refresh tokens cannot be used to access API endpoints directly
  • Both tokens use the same signing key but different expiration times

Best Practices

  1. Automatic Refresh: Implement automatic token refresh in your API client
  2. Handle Failures: If refresh fails, redirect to login page
  3. Don’t Cache: Don’t store tokens in localStorage (use cookies only)
  4. Retry Logic: Automatically retry failed requests after refreshing
  5. Single Refresh: Ensure only one refresh request is in flight at a time

Build docs developers (and LLMs) love

Get started for freeTalk to us