Refresh Tokens

CyberArk Identity supports the use of refresh tokens for OAuth Clients and when using OpenID Connect.

This page provides the API flow for using a refresh token to obtain a new access token.

Obtaining a Refresh During Authorization

Before you can use a refresh token you must first grant authorization. The following example shows part of the Authorization (Auth) Code Flow where a request is made to exchange an access code for an access token:

POST https://mytenant.idaptive.app/oauth2/token/myapplication HTTP/1.1
Content-Type: application/x-www-form-urlencoded


redirect_uri=https%3A%2F%2Faaa3226.mytenant.com%2Fsysinfo%2Fdummy&code=HsOynOzaKL_yCo_-cJhh4xM...&grant_type=authorization_code

The response includes both an access token and a refresh token:

{  
   "access_token":"eyJhbGciOiJSU...",
   "token_type":"Bearer",
   "refresh_token":"oXSi9unNG0eUDh...",
   "expires_in":18000,
   "scope":"all"
}

Using the Refresh Token

Once you have a refresh token, invoke the /token/ endpoint setting the grant_type parameter to refresh_token:

POST https://mytenant.idaptive.app/oauth2/token/myapplication HTTP/1.1

client_id=abcd&client_secret=1234567&grant_type=refresh_token&refresh_token=oXSi9unNG0eUDh...

The response contains a new access_token:

{  
   "access_token":"eyJhbGciOi...",
   "token_type":"Bearer",
   "expires_in":18000,
   "scope":"all"
}

Try the API in Postman:
Run in PostmanRun in Postman