Authentication
Refresh Token
Refresh an expired or expiring access token
POST
Generates a new access token for an authenticated user without requiring password re-entry. This endpoint requires a valid existing access token.
Authentication
Bearer token from a previous loginFormat:
Bearer <access_token>Response
New JWT access token for authenticating subsequent requests
Token type, always returns “bearer”
Usage Notes
- This endpoint requires an existing valid access token in the Authorization header
- The new token will contain the same user information (email in the
subclaim) as the original token - Use this endpoint to maintain continuous authentication without requiring users to re-enter credentials
- The new token will have a fresh expiration time based on the server’s
ACCESS_TOKEN_EXPIRE_MINUTESconfiguration
Best Practices
- Proactive Refresh: Refresh tokens before they expire to avoid authentication interruptions
- Secure Storage: Store access tokens securely (e.g., in httpOnly cookies or secure storage)
- Token Rotation: Replace old tokens with new ones immediately after refresh
- Error Handling: Redirect to login if refresh fails (401 error)
Error Responses
| Status Code | Description |
|---|---|
| 200 | Successfully refreshed token |
| 401 | Invalid or expired token, could not validate credentials |
Implementation Details
- The endpoint validates the current token by decoding the JWT and verifying the user exists
- User information is extracted from the token’s
sub(subject) claim containing the email - A new token is generated with the same user email and fresh expiration time
- The original token becomes invalid practice (though technically could still work until its expiration)