Refresh token

Search…
Refresh token
How to execute the authorization flow and get your access token
The refresh_token grant type is used by clients to exchange a refresh token for an expired access token.
Sales channel applications can use the refresh_token grant type to refresh a customer's access token with a "remember me" option. Webapp applications can use the refresh_token grant type to refresh the access token skipping the authorization code step.
A refresh token can be revoked before its natural expiration date.
Getting an access token
To get an access token using the refresh_token grant type, send a POST request to the /oauth/token endpoint, passing the application credentials in the request body.
Request
POST https://yourdomain.commercelayer.io/oauth/token
Arguments
Body parameter
Type
Required
Description
grant_type
string
Required
refresh_token
refresh_token
string
Required
A valid refresh_token
client_id
string
Required
Your application client_id
client_secret
string
Optional
Your application client_secret (required in case of authorization code flow)
Examples
Sales channel application with password flow
Request
Response
The following request tries to exchange a valid refresh token for an expired access token:
1
curl -g -X POST \
2
  'https://yourdomain.commercelayer.io/oauth/token' \
3
  -H 'Accept: application/json' \
4
  -H 'Content-Type: application/json' \
5
  -d '{
6
  "grant_type": "refresh_token",
7
  "refresh_token": "your-refresh-token",
8
  "client_id": "your-client-id"
9
}'
Copied!
On success, the API responds with a 200 OK status code, returning the requested access token and customer info:
1
{
2
    "access_token": "your-access-token",
3
    "token_type": "bearer",
4
    "expires_in": 7200,
5
    "refresh_token": "your-new-refresh-token",
6
    "scope": "market:1234",
7
    "created_at": 123456789,
8
    "owner_id": "zxcVBnMASd",
9
    "owner_type": "customer"
10
}
Copied!
The returned scope is the same passed in the request you made to get your-refresh-token.
Webapp application with authorization code flow
Request
Response
The following request tries to exchange a valid refresh token for an expired access token:
1
curl -g -X POST \
2
  'https://yourdomain.commercelayer.io/oauth/token' \
3
  -H 'Accept: application/json' \
4
  -H 'Content-Type: application/json' \
5
  -d '{
6
  "grant_type": "refresh_token",
7
  "refresh_token": "your-refresh-token",
8
  "client_id": "your-client-id",
9
  "client_secret": "your-client-secret"
10
}'
Copied!
On success, the API responds with a 200 OK status code, returning the requested access token and customer info:
1
{
2
    "access_token": "your-access-token",
3
    "token_type": "bearer",
4
    "expires_in": 7200,
5
    "refresh_token": "your-new-refresh-token",
6
    "scope": "market:1234",
7
    "created_at": 123456789,
8
    "owner_id": "zxcVBnMASd",
9
    "owner_type": "customer"
10
}
Copied!
The returned scope is the same (if any) passed in the request you made to get your-refresh-token.
Revoking a refresh token
To revoke a refresh token, send a POST request to the /oauth/revoke endpoint, passing the required parameters in the request body.
Request
POST https://yourdomain.commercelayer.io/oauth/revoke
Arguments
Body parameter
Type
Required
Description
client_id
string
Required
Your application client_id
token
string
Required
A valid refresh_token
Example
Request
Response
The following request revokes a refresh token, before its natural expiration date:
1
curl -g -X POST \
2
  'https://yourdomain.commercelayer.io/oauth/revoke' \
3
  -H 'Accept: application/json' \
4
  -H 'Content-Type: application/json' \
5
  -d '{
6
  "client_id": "your-client-id",
7
  "token": "your-refresh-token"
8
}'
Copied!
On success, the API responds with a 200 OK status code, returning an empty object.
Authorization code
JWT single sign-on
Last modified 6mo ago
Copy link
Contents
Getting an access token
Request
Arguments
Examples
Revoking a refresh token
Request
Arguments
Example