Refresh Access Token

curl --request POST \
  --url https://crypto.westminister.tech/api/v1/auth/refresh \
  --header 'Content-Type: application/json' \
  --data '
{
  "refresh_token": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}
'

{
  "access_token": "v2.local.eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refresh_token": "b2c3d4e5-f6g7-8901-bcde-f23456789012",
  "token_type": "bearer",
  "expires_in": 900,
  "user": {
    "id": "5c81c005-1c52-4e0d-85e2-862ee1cdd4d0",
    "email": "user@example.com",
    "phone_number": "+254712345678",
    "first_name": "John",
    "last_name": "Doe",
    "role": "customer",
    "kyc_status": "pending"
  }
}

Users

Refresh Access Token

Exchanges a valid refresh token for a new access token and a new refresh token.

This endpoint implements refresh token rotation for enhanced security:

The provided refresh token is immediately revoked upon successful use
A new refresh token is issued along with the new access token
Old refresh tokens cannot be reused, reducing the risk of token replay attacks

Usage Flow:

Client calls a login endpoint and receives access_token and refresh_token
When access_token expires (typically 15 minutes), client calls this endpoint with refresh_token
Client receives a new access_token and a new refresh_token
Client discards the old refresh_token and uses the new one for future refreshes

Security Notes:

Refresh tokens should be stored securely (e.g., HTTP-only cookies or secure storage)
Never expose refresh tokens in URLs, logs, or client-side JavaScript
If a refresh token is compromised, revoke it immediately via the logout endpoint

POST

api

auth

refresh

Refresh Access Token

curl --request POST \
  --url https://crypto.westminister.tech/api/v1/auth/refresh \
  --header 'Content-Type: application/json' \
  --data '
{
  "refresh_token": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}
'

{
  "access_token": "v2.local.eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refresh_token": "b2c3d4e5-f6g7-8901-bcde-f23456789012",
  "token_type": "bearer",
  "expires_in": 900,
  "user": {
    "id": "5c81c005-1c52-4e0d-85e2-862ee1cdd4d0",
    "email": "user@example.com",
    "phone_number": "+254712345678",
    "first_name": "John",
    "last_name": "Doe",
    "role": "customer",
    "kyc_status": "pending"
  }
}

Body

application/json

Request payload for refreshing an access token.

refresh_token

string

required

The refresh token previously issued by a login endpoint.

Example:

"a1b2c3d4-e5f6-7890-abcd-ef1234567890"

Response

Token refreshed successfully

Authentication response returned by login endpoints.

access_token

string

Short-lived PASETO bearer token used for authenticated API calls.

Example:

"v4.local.eyJzdWIiOiJ1c2VyLWlkIiwicm9sZSI6InVzZXIifQ..."

refresh_token

string

Long-lived refresh token used to obtain new access tokens. Store securely and never expose in URLs or logs.

Example:

"a1b2c3d4-e5f6-7890-abcd-ef1234567890"

token_type

string

Token type, typically 'bearer'.

Example:

"bearer"

expires_in

integer<int64>

Access token lifetime in seconds.

Example:

900

user

object

Show child attributes