Skip to main content

POST /api/auth/refresh-token

Exchanges a valid refresh token for a new set of access and refresh tokens. This endpoint is used to maintain user sessions without requiring re-authentication.

Authentication

Requires a valid refreshToken cookie.

Request Body

No request body required. The refresh token is read from cookies.

Response

message
string
Success message confirming token refresh.

Cookies Set

  • accessToken - New JWT access token (HTTP-only, 7 days expiry)
  • refreshToken - New JWT refresh token (HTTP-only, 7 days expiry)

Example Request

POST /api/auth/refresh-token
Cookie: refreshToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Example Response

{
  "message": "Token refreshed"
}

Error Responses

error
string
Error message describing what went wrong.

401 Unauthorized

  • No refresh token - The refreshToken cookie is missing from the request
  • Invalid refresh token - The refresh token is expired, malformed, or invalid

500 Internal Server Error

  • Server error with error message details

Notes

  • The refresh token must be sent as an HTTP-only cookie
  • Both a new access token and refresh token are generated and returned
  • The old refresh token becomes invalid after a successful refresh (token rotation)
  • Token verification is handled by the verifyRefreshToken utility (see ~/workspace/source/src/api/auth/refreshToken.js:18)
  • New tokens preserve the user’s ID and role from the original token (see ~/workspace/source/src/api/auth/refreshToken.js:23)
  • Cookies use sameSite: 'strict' for CSRF protection
  • In production environments, cookies are set with the secure flag (HTTPS only)

Build docs developers (and LLMs) love

Get started for freeTalk to us