Skip to main content

POST /api/auth/refresh-token

Exchanges a valid refresh token for a new pair of access and refresh tokens. The old refresh token is invalidated after successful renewal.

Request body

refreshToken
string
required
Valid refresh token obtained from login or previous refresh

Response

success
boolean
Indicates if the token refresh was successful
message
string
Human-readable response message
data
object
New authentication tokens

Status codes

  • 200 - Tokens refreshed successfully
  • 400 - Refresh token not provided
  • 401 - Invalid, expired, or revoked refresh token
  • 500 - Internal server error
The old refresh token is automatically deleted and can no longer be used. Always store and use the new refresh token from the response.
Refresh tokens are single-use. Once a refresh token is used to obtain new tokens, it becomes invalid. Attempting to reuse it will result in a 401 error.

Examples

curl -X POST https://api.campusbite.com/api/auth/refresh-token \
  -H "Content-Type: application/json" \
  -d '{
    "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
  }'

Success response (200)

{
  "success": true,
  "message": "Tokens refreshed successfully.",
  "data": {
    "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
  }
}

Error response (400)

{
  "success": false,
  "message": "Refresh token is required."
}

Error response (401) - Invalid token

{
  "success": false,
  "message": "Invalid refresh token."
}

Error response (401) - Expired or not found

{
  "success": false,
  "message": "Refresh token not found or expired."
}

Token rotation process

This endpoint implements refresh token rotation for enhanced security:
  1. Validates the provided refresh token (signature and expiration)
  2. Verifies the token exists in the database and hasn’t expired
  3. Deletes the old refresh token from the database
  4. Generates a new access token and refresh token pair
  5. Stores the new refresh token in the database with a 7-day expiration
  6. Returns both new tokens to the client
Refresh tokens are automatically removed from the database when they expire using MongoDB TTL indexes.

Build docs developers (and LLMs) love

Get started for freeTalk to us