# Applying Refresh Token After user authentication is completed, both the access token and refresh token will be returned. When the access token expires, you can use the refresh token to obtain a new access token. Example request: ``` curl -v -X POST https://{digiRunner_DOMAIN}/oauth/token \ -H 'Content-Type: application/x-www-form-urlencoded' \ -H 'Authorization: Basic {client_secret}' \ -d 'grant_type=refresh_token' \ -d 'refresh_token={refresh_token}' ``` Parameters with details:
ParameterTypeRequirementDescription
client_secretStringRequired

Scenario I. Higher-Security (Client Password Required)

1. Client Password registered with digiRunner; needs to be encoded with Base64

2. Concatenate the client ID with ":" and the encoded client password, then encode the result with Base64 again to generate the value to be used

3. Example:

Client ID: tspclient

Client Password: tsp123abcd

Formula for generating the value:

Base64 Encode(ClientID+":"+Base64 Encode(Client Password))

Base64 Encode(tspclient+":"+Base64 Encode(tsp123abcd))

Base64 Encode(tspclient:dHNwMTIzYWJjZA==)

Output for client_secret:

dHNwY2xpZW50OmRITndNVEl6WVdKalpBPT0=

Scenario II. PKCE + Public Client (Client Password Not Required)

When the Public Client (With PKCE) option is selected in digiRunner's OAuth grant type, the client password is not required.

1. Concatenate the client ID with ":" (no client password is required)

2. Example:

Client ID: tspclient

Client Password: ""

Formula for generating the value:

Base64 Encode(ClientID+":")

Base64 Encode(tspclient+":")

Base64 Encode(tspclient:)

Output for client_secret:

dHNwY2xpZW50Og==

grant_typeStringRequiredrefresh_token, a fixed value
refresh_tokenStringRequired

Refresh Token, associated with the access token that requires refreshing

If the refresh token has expired, you must prompt the user to log in again to generate a new access token.

### Example of Successful Response If the refresh is successful, a new access token will be returned. Example: ``` { "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJub2RlIjoiZXhlY3V0b3IxIiwiYXVkIjpbIllXUnRhVzVCVUVrIl0sInVzZXJfbmFtZSI6InRzcHVzZXIiLCJvcmdfaWQiOiIxMDAwMDAiLCJzY29wZSI6WyIyMDAwMDAwMDA2Il0sInN0aW1lIjoxNjg0ODA5NzE3NjY4LCJleHAi...", "expires_in": 86399, "jti": "41fa8a7b-b21d-4598-b254-5ffbed8b619f", "node": "executor1", "org_id": "100000", "refresh_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJub2RlIjoiZXhlY3V0b3IxIiwiYXVkIjpbIllXUnRhVzVCVUVrIl0sInVzZXJfbmFtZSI6InRzcHVzZXIiLCJvcmdfaWQiOiIxMDAwMDAiLCJzY29wZSI6WyIyMDAwMDAwMDA2Il0sImF0aSI6ImMyYzAzNTc0LTI2ODItNGYwMi...", "scope": "2000000006", "stime": 1684742522981, "token_type": "bearer" } ``` ### Example of Error Response If the refresh token has expired, a 401 Unauthorized HTTP status code and JSON response will be returned. Example: ``` { "error": "invalid_token", "error_description": "Invalid refresh token (expired): eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJub2RlIjoiZXhlY3V0b3IxIiwiYXVkIjpbIllXUnRhVzVCVUVrIl0sInVzZXJfbmFtZSI6InRzcHVzZXIiLCJvcmdfaWQiOiIxMDAwMDAiLCJzY29wZSI6WyIyMDAwMDAwMDA2Il0sImF0aSI6ImMyYzAzNTc0LTI2ODItNGYwMi..." } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.tpi.dev/api-integration-guide/token-lifecycle-management-mechanism/applying-refresh-token.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.