Skip to main content
To get a , you must include the offline_access scope when you initiate an authentication request through the /authorize endpoint. Be sure to initiate Offline Access in your API. For more information, read API Settings. For example, if you are using the Authorization Code Flow, the authentication request would look like the following: The refresh token is stored in session. Then, when a session needs to be refreshed (for example, a preconfigured timeframe has passed or the user tries to perform a sensitive operation), the app uses the refresh token on the backend to obtain a new , using the /oauth/token endpoint with grant_type=refresh_token. Once the user authenticates successfully, the application will be redirected to the redirect_uri, with a code as part of the URL: {https://yourApp/callback}?code=BPPLN3Z4qCTvSNOy. You can exchange this code with an using the /oauth/token endpoint. The response should contain an access token and a refresh token. 
{
      "access_token": "eyJz93a...k4laUWw",
      "refresh_token": "GEbRxBN...edjnXbL",
      "token_type": "Bearer"
    }
If you are requesting a Refresh Token for a mobile app using the corresponding Native Client (which is public), then you don’t need to send the client_secret in the request since it’s only required for confidential applications. Refresh Tokens must be stored securely by an application since they allow a user to remain authenticated essentially forever. For more information on how to implement this using the Authorization Code Flow, refer to our tutorial, Call API Using the Authorization Code Flow. For other grants, see Authentication and Authorization Flows.

Learn more