Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/BladimirGS/judicial-backend/llms.txt

Use this file to discover all available pages before exploring further.

The refresh endpoint allows a client to obtain a new access_token without asking the user to log in again. It reads the refreshToken cookie set during /login, forwards it to the external auth service (/api/AuthJWT/RefreshToken), and returns a fresh JWT. If the external service issues a new refresh token, the cookie is silently rotated as well.

Endpoint

POST /api/auth/refresh
PropertyValue
Auth requiredNo — uses the refreshToken httpOnly cookie instead
Request bodyNone
Content-TypeNot required

Request

No JSON body is needed. The endpoint reads the Cookie request header automatically. The browser or HTTP client must send the refreshToken cookie that was set by a previous call to /login.
If the Cookie header is entirely absent, the server immediately returns 401 with code NO_REFRESH_COOKIE — it does not attempt to contact the external auth service.

Response — 200 OK

A successful token renewal returns a new access_token. If the external service rotates the refresh token, the Set-Cookie header is updated automatically.
status
string
Always "success" on a 200 response.
message
string
Human-readable confirmation, e.g. "Token renovado".
data
object
When the external auth service returns a rotated refresh token, the backend updates the cookie: 
Set-Cookie: refreshToken=<new-value>; HttpOnly; Path=/api/auth; SameSite=<policy>; Max-Age=86400
If the external service does not rotate the token, no new Set-Cookie header is sent and the existing cookie remains valid.

Error Responses

StatusDescription
401Refresh token is missing, expired, or has been revoked — the user must log in again
503External auth service is unreachable or returned an unexpected error

Example

Request

curl -X POST http://localhost:4000/api/auth/refresh \
  -b cookies.txt \
  -c cookies.txt
The -b cookies.txt flag sends the stored refreshToken cookie, and -c cookies.txt saves any rotated cookie returned by the server.

Success response

{
  "status": "success",
  "message": "Token renovado",
  "data": {
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
  }
}

Expired or missing token response (401)

{
  "status": "error",
  "code": "UNAUTHORIZED",
  "message": "Refresh token inválido o expirado"
}
Proactively call /refresh before the access_token expires rather than waiting for a 401 on a protected route. Decode the token and inspect the exp claim (Unix timestamp) to schedule the refresh ahead of time, ensuring uninterrupted sessions without noticeable latency for your users.

Build docs developers (and LLMs) love

Get started for freeTalk to us