Refresh Tokens
Refresh Tokens
Refresh tokens are long-lived tokens, that need to be securely stored against a user on the Merchant site for the use of account pairing. It is important these are never exposed to users etc. They are exchanged for access tokens from the IDP, which are short-lived.
Token exchange
Below is an example of a request to exchange a refresh token for an access token
https://merchant-auth-nz.zip.co/oauth/token
Content-Type: application/json
{
"grant_type": "refresh_token",
"client_id": "YOUR_CLIENT_ID",
"client_secret": "YOUR_CLIENT_SECRET",
"refresh_token": "YOUR_REFRESH_TOKEN"
}
This will return a token in the following format:
{
"access_token": "eyJ...MoQ",
"expires_in": 86400,
"scope": "openid offline_access",
"id_token": "eyJ...0NE",
"token_type": "Bearer"
}
Updated about 1 year ago