Because access tokens are valid for only a short period of time, when a client acquires an access token to access a protected resource, the client also receives a refresh token.
Instead of asking permission again from the user and making the wrong experience for the user – the user needs to authenticate and consent multiple times for the same permissions and the same client application. You should use a refresh token to get a new access token
Since your client app has got tokens (access token and refresh token). It only needs to send its credentials (client_id and client_secret) along with a refresh token to the authorization server to get a new access token that has the same permissions as the old/expired access token.
These parameters you have to exchange with the authorization server at the token endpoint.
grant_type | refresh_token | Fixed |
refresh_token | c9anx0NPaI-IGiQQ1... | The refresh_token associated with the access_token |
client_id | 7590139168389961 | Your app id |
client_secret | Send client secret in basic header or request body, see Token endpoint auth method |
The API request should look like (The following example uses the basic header method)
curl --location --request POST 'https://api.tiki.vn/sc/oauth2/token' \
--header 'Authorization: Basic NzU5MDEzOTE2ODM4OTk2MTp0ZlNsMGM2...' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=c9anx0NPaI-IGiQQ126AdY3DWqovAGe_L1Ra8Z42...' \
--data-urlencode 'client_id=7590139168389961'
Finally, you get an access token and a refresh token with a new expiration date. You should store your tokens (access token and refresh token) somewhere safe and make requests to retrieve protected resources with access token.