Because access tokens are valid for only a short period of time, when a client acquires an access token to access a protected resource, the client also receives a refresh token.
Instead of asking permission again from the user and making the wrong experience for the user – the user needs to authenticate and consent multiple times for the same permissions and the same client application. You should use a refresh token to get a new access token
Since your client app has got tokens (access token and refresh token). It only needs to send its credentials (client_id and client_secret) along with a refresh token to the authorization server to get a new access token that has the same permissions as the old/expired access token.
These parameters you have to exchange with the authorization server at the token endpoint.
|The refresh_token associated with the access_token|
|Your app id|
|Send client secret in basic header or request body, see Token endpoint auth method|
The API request should look like (The following example uses the basic header method)
curl --location --request POST 'https://api.tiki.vn/sc/oauth2/token' \ --header 'Authorization: Basic NzU5MDEzOTE2ODM4OTk2MTp0ZlNsMGM2...' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=refresh_token' \ --data-urlencode 'refresh_token=c9anx0NPaI-IGiQQ126AdY3DWqovAGe_L1Ra8Z42...' \ --data-urlencode 'client_id=7590139168389961'
Finally, you get an access token and a refresh token with a new expiration date. You should store your tokens (access token and refresh token) somewhere safe and make requests to retrieve protected resources with access token.