Refresh Tokens

Refresh tokens are long-lived tokens, that need to be securely stored against a user on the Merchant site for the use of account pairing. It is important these are never exposed to users etc. They are exchanged for access tokens from the IDP, which are short-lived.

Token exchange

Below is an example of a request to exchange a refresh token for an access token

https://merchant-auth-nz.zip.co/oauth/token
Content-Type: application/json
{ 
  "grant_type": "refresh_token",
	"client_id": "YOUR_CLIENT_ID", 
	"client_secret": "YOUR_CLIENT_SECRET", 
	"refresh_token": "YOUR_REFRESH_TOKEN" 
}

This will return a token in the following format:

{
  "access_token": "eyJ...MoQ",
  "expires_in": 86400,
  "scope": "openid offline_access",
  "id_token": "eyJ...0NE",
  "token_type": "Bearer"
}