Refreshing access tokens | Yoco Developer Hub

Access tokens expire and need to be refreshed using the refresh_token.

Remember: the refresh_token is obtained by requesting the offline_access scope during the authorization flow, and is available in the Obtain token response.

Refresh token request

1 POST /oauth2/token
2 Content-Type: application/x-www-form-urlencoded
3 
4 grant_type=refresh_token
5 &refresh_token=REFRESH_TOKEN
6 &client_id=YOUR_CLIENT_ID
7 &client_secret=YOUR_CLIENT_SECRET

Response

1 {
2   "access_token": "<ACCESS_TOKEN>",
3   "expires_in": 1209599,
4   "id_token": "<ID_TOKEN>",
5   "refresh_token": "<REFRESH_TOKEN>",
6   "scope": "offline_access openid business/orders:read",
7   "token_type": "bearer"
8 }

The response contains a new access_token and refresh_token. The new refresh_token must be stored and used for future refresh requests.

Handling refresh token failures

Your application must handle refresh token failures:

Expired refresh token: Redirect user to authorization URL to re-grant consent
Revoked access: User has revoked your application’s access
Invalid client: Check your client credentials