Developer Documentation
Developer Documentation

Refresh Tokens

Refresh tokens are long-lived tokens, that need to be securely stored against a user on the Merchant site. It is important these are never exposed to users etc. They are exchanged for access tokens from the IDP, which are short-lived.

Token exchange

Below is an example of a request to exchange a refresh token for an access token:
Content-Type: application/json

  "grant_type": "refresh_token"
	"client_id": "YOUR_CLIENT_ID", 
	"client_secret": "YOUR_CLIENT_SECRET", 
	"refresh_token": "YOUR_REFRESH_TOKEN" 

This will return a token in the following format:

  "access_token": "eyJ...MoQ",
  "expires_in": 86400,
  "scope": "openid offline_access",
  "id_token": "eyJ...0NE",
  "token_type": "Bearer"
Authentication Endpoints

NB that the previously defined endpoints will continue to function as they previously have, and your previously issued Client Id & Secret will be able to be used with both end points. There are no plans to retire the existing authentication endpoints.

Old endpoints

Environment Token Endpoint API Identifier (audience)