Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/CristianRR94/springCommunity/llms.txt

Use this file to discover all available pages before exploring further.

When a client’s access token has expired, it can call this endpoint to obtain a new token pair without requiring the user to log in again. The server validates the provided refresh token — checking its signature, expiry, type, and revocation status — then revokes all existing tokens for that user and issues a fresh access token and refresh token. This rotation strategy ensures that a stolen refresh token can only be used once.

Endpoint

POST /auth/refresh
Auth required: A valid REFRESH-type token in the Authorization header. Do not pass an access token here.

Request Headers

Authorization
string
required
Must be in the format Bearer <refreshToken> where <refreshToken> is the refresh_token value received from a previous /auth/login or /auth/refresh response. Passing an access token instead of a refresh token will result in a 500 error.

Response

A 200 OK response with a JSON body containing a brand-new token pair.
access_token
string
A newly issued JWT access token. Replace the expired token in your client with this value. Default TTL: 1 hour (configurable via JWT_EXPIRATION).
refresh_token
string
A newly issued JWT refresh token. The old refresh token is revoked as part of this call — store this new value for future refresh requests. Default TTL: 7 days (configurable via JWT_REFRESH_EXPIRATION).

Response Example

{
  "access_token": "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOjEsIm5vbWJyZSI6ImNyaXN0aWFuOTQiLCJ0aXBvVXNvIjoiQUNDRVNTIiwicm9sZXMiOlsiUk9MRV9VU0VSIl0sImp0aSI6ImNjY2MtOTk5OSIsInN1YiI6ImNyaXN0aWFuOTQiLCJpYXQiOjE3MDAwMDM2MDAsImV4cCI6MTcwMDAwNzIwMH0.signature",
  "refresh_token": "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOjEsIm5vbWJyZSI6ImNyaXN0aWFuOTQiLCJ0aXBvVXNvIjoiUkVGUkVTSCIsInJvbGVzIjpbIlJPTEVfVVNFUiJdLCJqdGkiOiJkZGRkLTg4ODgiLCJzdWIiOiJjcmlzdGlhbjk0IiwiaWF0IjoxNzAwMDAzNjAwLCJleHAiOjE3MDA2MDg0MDB9.signature"
}

Error Responses

StatusCondition
401 UnauthorizedThe token’s signature is invalid or the JWT is structurally malformed. The response body will contain "Token inválido".
401 UnauthorizedThe token has expired (ExpiredJwtException). The response body will contain "La sesión ha expirado".
404 Not FoundThe username embedded in the refresh token does not match any user in the database.
500 Internal Server ErrorThe Authorization header is missing or does not start with Bearer , the token is not of type REFRESH, or the token has been revoked or marked expired in the database. These conditions throw IllegalArgumentException, which is not mapped by the global exception handler.

Error Response Body

{
  "status": 401,
  "mensaje": "La sesión ha expirado",
  "timestamp": 1700000000000
}

curl Example

curl -X POST http://localhost:8080/auth/refresh \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9...your_refresh_token_here"

Only tokens with an internal type claim of REFRESH are accepted by this endpoint. If you pass an access token in the Authorization header, the server will reject the request with 500 Internal Server Error because the token type check throws an unhandled IllegalArgumentException. Always store and use the refresh_token field from the login/register response for this call.
Refresh token rotation is enforced: each call to /auth/refresh revokes all existing tokens for the user and issues a completely new pair. You must persist the new refresh_token returned in the response — the old one is immediately invalidated and cannot be reused.

Build docs developers (and LLMs) love