--- title: Token (refresh_token) (CLIENT_SECRET_BASIC) description: The token endpoint can be used by the client to obtain an access token by exchanging its refresh token. Note that authentication requirements to this endpoint are configured by the application's tokenEndpointAuthMethod property. For refresh_token grants, the application calls the POST /{{envID}}/as/token endpoint to exchange the refresh token for an access token. component: pingone-api page_id: pingone-api:auth:openid-connect-oauth-2/token-refresh_token-client-secret-basic canonical_url: https://developer.pingidentity.com/pingone-api/auth/openid-connect-oauth-2/token-refresh_token-client-secret-basic.html section_ids: prerequisites: Prerequisites headers: Headers body: Body example-request: Example Request example-response: Example Response --- # Token (refresh\_token) (CLIENT\_SECRET\_BASIC) ## ```none POST {{authPath}}/{{envID}}/as/token ``` | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Ping Identity is deprecating JWT-format refresh tokens in favor of opaque tokens, which are more secure. You must update your OIDC-based applications to use opaque refresh tokens by March 1, 2027. Learn more in [Refresh tokens](../../foundations/authentication-concepts/access-tokens-and-id-tokens/token-claims.html#refresh-tokens). | The token endpoint can be used by the client to obtain an access token by exchanging its refresh token. Note that authentication requirements to this endpoint are configured by the application's `tokenEndpointAuthMethod` property. For `refresh_token` grants, the application calls the `POST /{{envID}}/as/token` endpoint to exchange the refresh token for an access token. For a `refresh_token` grant type in which the application's `tokenEndpointAuthMethod` is set to `CLIENT_SECRET_BASIC`, the `Authorization: Basic` header represents a Base64-encoded representation of "username:password", in which the username is the `client_id` and the password is the `client_secret`: ```bash -H 'Authorization: Basic ' \ ``` To obtain a refresh token along with an access token, the application must be either: * Configured with the `refresh_token` grant type and the `authorization_code` grant type. * Configured with the `authorization_code` grant type, and include `offline_access` in the `scope` parameter. A refresh token is then generated along with the access token. When obtaining the original access token, a refresh token is included in the response, which is tied to the client and the user session. As long as the session exists and it is not expired (30 days since the last sign on), the `/{{envID}}/as/token` endpoint can be used to exchange the refresh token for a new access token and refresh token. If the `openid` scope is granted, an ID token is also included. When a new refresh token is issued, the previous refresh token is rotated to prevent token abuse, which is useful when client authentication is disabled. In addition, when a refresh token is exchanged, the `activeAt` property of the corresponding session is updated. This does not extend the duration of the session, but can be used to indicate that there is activity. To revoke a refresh token, the corresponding session must be deleted. Session termination is supported only by the resource owner using the `/{{envID}}/as/signoff` endpoint or by disabling the user. For more information about access token claims, refer to [Access token claims](../../foundations/authentication-concepts/access-tokens-and-id-tokens.html). ### Prerequisites * Refer to [OpenID Connect/OAuth 2](../openid-connect-oauth-2.html) and [Token](token-intro.html) for important overview information. > **Collapse: Request Model** > > | Property | Type | Required? | > | --------------- | ------ | --------- | > | `client_id` | String | Required | > | `client_secret` | String | Required | > | `refresh_token` | String | Optional | > | `grant_type` | String | Optional | > > Refer to the [OpenID Connect/OAuth2 data model](../openid-connect-oauth-2.html) for full property descriptions. ### Headers Authorization Content-Type      application/x-www-form-urlencoded ### Body urlencoded ( application/x-www-form-urlencoded ) | Key | Value | | -------------- | ------------------------- | | grant\_type | refresh\_token | | refresh\_token | {{refreshToken4AuthCode}} | ## ### Example Request * cURL * C# * Go * HTTP * Java * jQuery * NodeJS * Python * PHP * Ruby * Swift ```shell curl --location --globoff '{{authPath}}/{{envID}}/as/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --header 'Authorization: Basic e3thcHBJRH19Ont7YXBwU2VjcmV0fX0=' \ --data-urlencode 'grant_type=refresh_token' \ --data-urlencode 'refresh_token={{refreshToken4AuthCode}}' ``` ```csharp var options = new RestClientOptions("{{authPath}}/{{envID}}/as/token") { MaxTimeout = -1, }; var client = new RestClient(options); var request = new RestRequest("", Method.Post); request.AddHeader("Content-Type", "application/x-www-form-urlencoded"); request.AddHeader("Authorization", "Basic e3thcHBJRH19Ont7YXBwU2VjcmV0fX0="); request.AddParameter("grant_type", "refresh_token"); request.AddParameter("refresh_token", "{{refreshToken4AuthCode}}"); RestResponse response = await client.ExecuteAsync(request); Console.WriteLine(response.Content); ``` ```golang package main import ( "fmt" "strings" "net/http" "io" ) func main() { url := "{{authPath}}/{{envID}}/as/token" method := "POST" payload := strings.NewReader("grant_type=refresh_token&refresh_token=%7B%7BrefreshToken4AuthCode%7D%7D") client := &http.Client { } req, err := http.NewRequest(method, url, payload) if err != nil { fmt.Println(err) return } req.Header.Add("Content-Type", "application/x-www-form-urlencoded") req.Header.Add("Authorization", "Basic e3thcHBJRH19Ont7YXBwU2VjcmV0fX0=") res, err := client.Do(req) if err != nil { fmt.Println(err) return } defer res.Body.Close() body, err := io.ReadAll(res.Body) if err != nil { fmt.Println(err) return } fmt.Println(string(body)) } ``` ```http POST /{{envID}}/as/token HTTP/1.1 Host: {{authPath}} Content-Type: application/x-www-form-urlencoded Authorization: Basic e3thcHBJRH19Ont7YXBwU2VjcmV0fX0= grant_type=refresh_token&refresh_token=%7B%7BrefreshToken4AuthCode%7D%7D ``` ```java OkHttpClient client = new OkHttpClient().newBuilder() .build(); MediaType mediaType = MediaType.parse("application/x-www-form-urlencoded"); RequestBody body = RequestBody.create(mediaType, "grant_type=refresh_token&refresh_token={{refreshToken4AuthCode}}"); Request request = new Request.Builder() .url("{{authPath}}/{{envID}}/as/token") .method("POST", body) .addHeader("Content-Type", "application/x-www-form-urlencoded") .addHeader("Authorization", "Basic e3thcHBJRH19Ont7YXBwU2VjcmV0fX0=") .build(); Response response = client.newCall(request).execute(); ``` ```javascript var settings = { "url": "{{authPath}}/{{envID}}/as/token", "method": "POST", "timeout": 0, "headers": { "Content-Type": "application/x-www-form-urlencoded", "Authorization": "Basic e3thcHBJRH19Ont7YXBwU2VjcmV0fX0=" }, "data": { "grant_type": "refresh_token", "refresh_token": "{{refreshToken4AuthCode}}" } }; $.ajax(settings).done(function (response) { console.log(response); }); ``` ```javascript var request = require('request'); var options = { 'method': 'POST', 'url': '{{authPath}}/{{envID}}/as/token', 'headers': { 'Content-Type': 'application/x-www-form-urlencoded', 'Authorization': 'Basic e3thcHBJRH19Ont7YXBwU2VjcmV0fX0=' }, form: { 'grant_type': 'refresh_token', 'refresh_token': '{{refreshToken4AuthCode}}' } }; request(options, function (error, response) { if (error) throw new Error(error); console.log(response.body); }); ``` ```python import requests url = "{{authPath}}/{{envID}}/as/token" payload = 'grant_type=refresh_token&refresh_token=%7B%7BrefreshToken4AuthCode%7D%7D' headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'Authorization': 'Basic e3thcHBJRH19Ont7YXBwU2VjcmV0fX0=' } response = requests.request("POST", url, headers=headers, data=payload) print(response.text) ``` ```php setUrl('{{authPath}}/{{envID}}/as/token'); $request->setMethod(HTTP_Request2::METHOD_POST); $request->setConfig(array( 'follow_redirects' => TRUE )); $request->setHeader(array( 'Content-Type' => 'application/x-www-form-urlencoded', 'Authorization' => 'Basic e3thcHBJRH19Ont7YXBwU2VjcmV0fX0=' )); $request->addPostParameter(array( 'grant_type' => 'refresh_token', 'refresh_token' => '{{refreshToken4AuthCode}}' )); try { $response = $request->send(); if ($response->getStatus() == 200) { echo $response->getBody(); } else { echo 'Unexpected HTTP status: ' . $response->getStatus() . ' ' . $response->getReasonPhrase(); } } catch(HTTP_Request2_Exception $e) { echo 'Error: ' . $e->getMessage(); } ``` ```ruby require "uri" require "net/http" url = URI("{{authPath}}/{{envID}}/as/token") http = Net::HTTP.new(url.host, url.port); request = Net::HTTP::Post.new(url) request["Content-Type"] = "application/x-www-form-urlencoded" request["Authorization"] = "Basic e3thcHBJRH19Ont7YXBwU2VjcmV0fX0=" request.body = "grant_type=refresh_token&refresh_token=%7B%7BrefreshToken4AuthCode%7D%7D" response = http.request(request) puts response.read_body ``` ```swift let parameters = "grant_type=refresh_token&refresh_token=%7B%7BrefreshToken4AuthCode%7D%7D" let postData = parameters.data(using: .utf8) var request = URLRequest(url: URL(string: "{{authPath}}/{{envID}}/as/token")!,timeoutInterval: Double.infinity) request.addValue("application/x-www-form-urlencoded", forHTTPHeaderField: "Content-Type") request.addValue("Basic e3thcHBJRH19Ont7YXBwU2VjcmV0fX0=", forHTTPHeaderField: "Authorization") request.httpMethod = "POST" request.httpBody = postData let task = URLSession.shared.dataTask(with: request) { data, response, error in guard let data = data else { print(String(describing: error)) return } print(String(data: data, encoding: .utf8)!) } task.resume() ``` ### Example Response 200 OK ```json { "access_token": "eyJraWQiOiJkMzQwNGI...", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "eyJhbGciOiJShRfCgho66...", "scope": "openid", "id_token": "eyJraWQiOiJkMzQwNGI5MC1..." } ```