Refresh access token

POST /sessions/tokens
Bearer auth

Exchange a refresh token for a new access token. Access tokens expire after ~15 minutes. Important: Each call returns a new refresh token and invalidates the previous one - you must persist the new refresh token for future use. See the 'Getting Started' section for details.

Headers

  • Authorization string Required

    Bearer token with refresh token value (not access token)

Responses

  • 200 application/json

    New tokens generated successfully

    Hide response attributes Show response attributes object
    • accessToken string Required

      JWT access token - use for API requests

    • refreshToken object Required
      Hide refreshToken attributes Show refreshToken attributes object
      • createdAt string Required

        Creation timestamp

      • expiredAt string Required

        Expiration timestamp (14 days from creation)

      • id integer Required

        Refresh token ID

      • updatedAt string Required

        Last update timestamp

      • value string Required

        Refresh token value - persist this for next refresh
  • 401 application/json

    Invalid or expired refresh token

    Hide response attributes Show response attributes object
    • errorCode string Required

      Error code

    • message string Required

      Error message
POST /sessions/tokens 
curl \
 --request POST 'https://auth.bank.place/sessions/tokens' \
 --header "Authorization: Bearer cfbaa163-2e4e-48ad-b8b4-7f88adb03d9e"
Response examples (200) 
{
  "accessToken": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refreshToken": {
    "id": 25441,
    "value": "f3450c8c-718c-423d-8af0-d00d94c895ea",
    "createdAt": "2025-10-12T02:06:05.382028475Z",
    "expiredAt": "2025-10-26T02:06:05.382011477Z",
    "updatedAt": "2025-10-12T02:06:05.382028647Z"
  }
}
Response examples (401) 
{
  "message": "Invalid request parameters",
  "errorCode": "invalid_request"
}