Search…
API Reference
Refresh token
How to execute the authorization flow and get your access token
The refresh_token grant type is used by clients to exchange a refresh token for an expired access token.
Sales channel applications can use the refresh_token grant type to refresh a customer's access token with a "remember me" option. Webapp applications can use the refresh_token grant type to refresh the access token skipping the authorization code step.
A refresh token can be revoked before its natural expiration date.

Getting an access token

To get an access token using the refresh_token grant type, send a POST request to the /oauth/token endpoint, passing the application credentials in the request body.

Request

POST https://yourdomain.commercelayer.io/oauth/token

Arguments

Body parameter
Type
Required
Description
grant_type
string
Required
refresh_token
refresh_token
string
Required
A valid refresh_token
client_id
string
Required
Your application client_id
client_secret
string
Optional
Your application client_secret (required in case of authorization code flow)

Examples

Sales channel application with password flow

Request
Response
The following request tries to exchange a valid refresh token for an expired access token:
1
curl -g -X POST \
2
'https://yourdomain.commercelayer.io/oauth/token' \
3
-H 'Accept: application/json' \
4
-H 'Content-Type: application/json' \
5
-d '{
6
"grant_type": "refresh_token",
7
"refresh_token": "your-refresh-token",
8
"client_id": "your-client-id"
9
}'
Copied!
On success, the API responds with a 200 OK status code, returning the requested access token and customer info:
1
{
2
"access_token": "your-access-token",
3
"token_type": "bearer",
4
"expires_in": 7200,
5
"refresh_token": "your-new-refresh-token",
6
"scope": "market:1234",
7
"created_at": 123456789,
8
"owner_id": "zxcVBnMASd",
9
"owner_type": "customer"
10
}
Copied!
The returned scope is the same passed in the request you made to get your-refresh-token.

Webapp application with authorization code flow

Request
Response
The following request tries to exchange a valid refresh token for an expired access token:
1
curl -g -X POST \
2
'https://yourdomain.commercelayer.io/oauth/token' \
3
-H 'Accept: application/json' \
4
-H 'Content-Type: application/json' \
5
-d '{
6
"grant_type": "refresh_token",
7
"refresh_token": "your-refresh-token",
8
"client_id": "your-client-id",
9
"client_secret": "your-client-secret"
10
}'
Copied!
On success, the API responds with a 200 OK status code, returning the requested access token and customer info:
1
{
2
"access_token": "your-access-token",
3
"token_type": "bearer",
4
"expires_in": 7200,
5
"refresh_token": "your-new-refresh-token",
6
"scope": "market:1234",
7
"created_at": 123456789,
8
"owner_id": "zxcVBnMASd",
9
"owner_type": "customer"
10
}
Copied!
The returned scope is the same (if any) passed in the request you made to get your-refresh-token.

Revoking a refresh token

To revoke a refresh token, send a POST request to the /oauth/revoke endpoint, passing the required parameters in the request body.

Request

POST https://yourdomain.commercelayer.io/oauth/revoke

Arguments

Body parameter
Type
Required
Description
client_id
string
Required
Your application client_id
token
string
Required
A valid refresh_token

Example

Request
Response
The following request revokes a refresh token, before its natural expiration date:
1
curl -g -X POST \
2
'https://yourdomain.commercelayer.io/oauth/revoke' \
3
-H 'Accept: application/json' \
4
-H 'Content-Type: application/json' \
5
-d '{
6
"client_id": "your-client-id",
7
"token": "your-refresh-token"
8
}'
Copied!
On success, the API responds with a 200 OK status code, returning an empty object.
Last modified 1mo ago