1. Home
  2. Docs
  3. Current
  4. OAuth 2.0
  5. Auth flows
  6. Refresh Token

Refresh Token

Because access tokens are valid for only a short period of time, when a client acquires an access token to access a protected resource, the client also receives a refresh token.

Instead of asking permission again from the user and making the wrong experience for the user – the user needs to authenticate and consent multiple times for the same permissions and the same client application. You should use a refresh token to get a new access token

Since your client app has got tokens (access token and refresh token). It only needs to send its credentials (client_id and client_secret) along with a refresh token to the authorization server to get a new access token that has the same permissions as the old/expired access token.

These parameters you have to exchange with the authorization server at the token endpoint.

grant_typerefresh_tokenFixed
refresh_tokenc9anx0NPaI-IGiQQ1...The refresh_token associated with the access_token
client_id7590139168389961Your app id
client_secretSend client secret in basic header or request body, see Token endpoint auth method

The API request should look like (The following example uses the basic header method)

curl --location --request POST 'https://api.tiki.vn/sc/oauth2/token' \
--header 'Authorization: Basic NzU5MDEzOTE2ODM4OTk2MTp0ZlNsMGM2...' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=c9anx0NPaI-IGiQQ126AdY3DWqovAGe_L1Ra8Z42...' \
--data-urlencode 'client_id=7590139168389961'

Finally, you get an access token and a refresh token with a new expiration date. You should store your tokens (access token and refresh token) somewhere safe and make requests to retrieve protected resources with access token.

Was this article helpful to you? Yes No

How can we help?

Leave a Reply

Your email address will not be published.