As a security measure, the access tokens have a valid time after which they expire and cease to be useful, (see the specification). If the client application needs to access an authenticated user’s private data, but the access_token is no longer valid, it must make a request to refresh the Access Token to get a new valid token relating to the user.

So that AuthNZ knows it has to update an expired Access Token, the client application must inform of this fact by means of a POST request to sending the following parameters:

Endpoint URL:

 POST https://{}/oauth2/token

Request parameters

grant_typeThe value must be set to refresh_tokenstring
refresh_tokenthe refresh token that is obtained in the authentication process.string
client_idIdentifier of the client application.string
client_secretSecret of the client application.string

cURL Request example


Once the OAuth server interprets the request to update the access token, it will return a new valid Access Token for the user.