GET /api/refresh/refreshtoken
Generates a new access token using a valid refresh token from cookies. This endpoint allows clients to obtain fresh access tokens without requiring the user to log in again.Cookies
Response
New JWT access token for API authentication
Cookies Set
The same refresh token is re-set in the cookie to maintain the sessionConfiguration:
- Same settings as login cookies (8-9 days expiry)
Status Codes
200- New access token generated successfully400- Refresh token not received, invalid token, or token expired404- User not found500- Internal server error
Example Request
Example Response
Error Responses
Validation Process
- Extract refresh token from HTTP-only cookie
- Verify JWT signature using
REFRESH_TOKEN_SECRET - Retrieve user from database using token payload
- Validate that the token matches the one stored in the database
- Generate a new access token
- Return new access token and refresh the cookie
Token Details
New Access Token JWT Payload:- Access Token: 6-10 hours (depends on environment)
- Refresh Token: 8-9 days (depends on environment)
Security Considerations
- Refresh tokens are stored server-side and validated on each request
- If the stored refresh token doesn’t match the provided one, the request is rejected
- This prevents token reuse after logout or token rotation
- All tokens use HTTP-only cookies to prevent XSS attacks
- Production tokens use
secure: trueandsameSite: Strictfor enhanced security
Usage Pattern
Clients should call this endpoint when:- The access token expires (6-10 hours)
- API requests return
401 Unauthorizeddue to expired access token - Before making authenticated requests if the access token is near expiry
Notes
- The refresh token itself is not rotated in this implementation
- The endpoint uses GET method (though POST would be more RESTful for token generation)
- The cookie name in the response is “RefreshToken” (note the capital ‘T’)
- Refresh token validation is performed by comparing with the database value