Refresh Tokens

Last Updated:

A refresh token is used to generate additional access tokens. They're used as short-lived access tokens without having to request credentials every time they expire. The refresh token is processed with the access and/or ID tokens as part of a user’s initial authentication flow.

Get a Token

There's three ways to get a token. The first is by sending a request to your Okta Authorization server.

The second method is to use the authorization code flow using the server’s authorize endpoint to get an authorization code, specifying an offline_access scope. You then send this code to the token endpoint to get an access and a refresh token. 

The third method uses Single-Page Application (SPA). The SPA resolves the problem of redirecting the user to a login page during normal navigation. For example, a user requests access to a resource prompting your SPA to send a request to the Fortellis authorize endpoint. But the common problem is when the user doesn't have a valid session. The request will result in a redirection to a login page. Not ideal for a good user experience.

To avoid this disruptive redirection with SPA, the endpoint allows for a request parameter called prompt. If the value of the prompt parameter is none, this guarantees that the user will not be prompted to login. Your solution application will either get the requested tokens or an OAuth error response. How you manage the error is up to you.

Using a Refresh Token

To refresh your access token, send a token request with a grant_type of refresh_token. See the example below:

http --form POST \
  accept:application/json \
  authorization:'Basic MG9hYmg3M...' \
  cache-control:no-cache \
  content-type:application/x-www-form-urlencoded \
  grant_type=refresh_token \
  redirect_uri={your_redirect_uri} \
  scope=offline_access \

If the refresh token is valid, you'll get back a new access/refresh token combination. See the following example:

    "access_token": "eyJhbGciOiJ[...]K1Sun9bA",
    "token_type": "Bearer",
    "expires_in": 3600,
    "scope": "offline_access",
    "refresh_token": "MIOf-U1zQbyfa3MUfJHhvnUqIut9ClH0xjlDXGJAyqo"