Developer Documentation
Developer Documentation
Home
Zip

Refresh Tokens

Refresh tokens are long-lived tokens, that need to be securely stored against a user on the Merchant site. It is important these are never exposed to users etc. They are exchanged for access tokens from the IDP, which are short-lived.

Token exchange

Below is an example of a request to exchange a refresh token for an access token:

https://merchant-auth.partpay.co.nz/oauth/token
Content-Type: application/json

{ 
  "grant_type": "refresh_token"
	"client_id": "YOUR_CLIENT_ID", 
	"client_secret": "YOUR_CLIENT_SECRET", 
	"refresh_token": "YOUR_REFRESH_TOKEN" 
}

This will return a token in the following format:

{
  "access_token": "eyJ...MoQ",
  "expires_in": 86400,
  "scope": "openid offline_access",
  "id_token": "eyJ...0NE",
  "token_type": "Bearer"
}
Authentication Endpoints

NB that the previously defined endpoints will continue to function as they previously have, and your previously issued Client Id & Secret will be able to be used with both end points. There are no plans to retire the existing authentication endpoints.

Old endpoints

Environment Token Endpoint API Identifier (audience)
Production https://merchant-auth.partpay.co.nz/oauth/token https://auth.partpay.co.nz
Test https://partpay-dev.au.auth0.com/oauth/token https://auth-dev.partpay.co.nz