🎉 Unlimited Free KYC - Forever!!

Auth + Data
Sign in API Reference
Refresh Token

Refresh Token

The refresh token flow allows clients to obtain a new access token without requiring the user to re-authenticate. This is done using the same /auth/token endpoint as the initial token request, but with a different grant type.

  • Base URL: https://apx.didit.me
  • Endpoint: /auth/v2/token
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Authentication: Basic Auth (Client ID and Client Secret)

Request

Headers

  • Authorization: Basic {base64(client_id:client_secret)}
  • Content-Type: application/x-www-form-urlencoded

Body Parameters

  • grant_type (required): Must be set to refresh_token.
  • refresh_token (required): The refresh token received in the original token response.

Example Request

POST /auth/v2/token HTTP/1.1
Host: apx.didit.me
Authorization: Basic {base64(client_id:client_secret)}
Content-Type: application/x-www-form-urlencoded
 
grant_type=refresh_token&refresh_token=your_refresh_token_here

Response

Returns a JSON object containing a new access token, and optionally a new refresh token.

Example Response

{
    "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6Imp3a1...",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "8xLOxBtZp8",
    "scope": "openid profile email"
}

Response Fields

  • access_token: The new access token.
  • token_type: The type of token, always "Bearer".
  • expires_in: The lifetime of the access token in seconds.
  • refresh_token: A new refresh token. Note that some implementations may not provide a new refresh token with every refresh.
  • scope: The scopes associated with this token.

Error Responses

Errors are returned as JSON objects with an error field and optionally an error_description field.

Common Errors

  • invalid_request: The request is missing a required parameter or is otherwise malformed.
  • invalid_client: Client authentication failed.
  • invalid_grant: The refresh token is invalid, expired, or has been revoked.
  • unauthorized_client: The client is not authorized to use the refresh token grant.
  • unsupported_grant_type: The authorization server does not support the refresh token grant.

Example Error Response

{
    "error": "invalid_grant",
    "error_description": "The refresh token was invalid or has expired."
}

Code Example

const refreshTokens = async (refreshToken) => {
  const tokenEndpoint = 'https://apx.didit.me/auth/v2/token';
  const clientId = 'your_client_id';
  const clientSecret = 'your_client_secret';
 
  const params = new URLSearchParams();
  params.append('grant_type', 'refresh_token');
  params.append('refresh_token', refreshToken);
 
  try {
    const response = await fetch(tokenEndpoint, {
      method: 'POST',
      headers: {
        'Content-Type': 'application/x-www-form-urlencoded',
        'Authorization': 'Basic ' + btoa(clientId + ':' + clientSecret)
      },
      body: params
    });
 
    if (!response.ok) {
      const errorData = await response.json();
      throw new Error(errorData.error_description || 'Failed to refresh tokens');
    }
 
    const data = await response.json();
    return data;
  } catch (error) {
    console.error('Error refreshing tokens:', error);
    throw error;
  }
};
⚠️

Refresh tokens should be treated with the same level of security as passwords. They should be stored securely and never exposed to the client-side of a web application.

Get JWK KeysFull Flow