Skip to main content
POST /api/auth/refresh Issues a new access token using a valid refresh token. Use this endpoint when the access token has expired to continue making authenticated requests without requiring the user to log in again.

Authentication

This endpoint requires a refresh token in the Authorization header — not an access token. 
Authorization: Bearer <refresh_token>
Refresh tokens are issued by POST /api/auth/login and stored in the database. A refresh token is valid until it expires or is explicitly revoked via POST /api/auth/logout.

Request body

No request body is required.

Response

200 OK

Returns a new access token.
success
boolean
required
true on success.
message
string
Confirmation message.
data
object
required

Error responses

StatusDescription
401Refresh token is missing, invalid, expired, or has been revoked

Token rotation strategy

Access tokens are short-lived by design. When a request returns 401 Unauthorized, follow this flow:
  1. Call POST /api/auth/refresh with the stored refresh token.
  2. If the refresh succeeds, store the new access token and retry the original request.
  3. If the refresh returns 401, the refresh token is invalid or expired. Redirect the user to log in again.
A refresh token is invalidated when:
  • It is explicitly revoked via POST /api/auth/logout.
  • The user changes their password (all refresh tokens are revoked).
  • The token’s expiry time passes.
curl --request POST \
  --url https://task-forge-gbd6h8gtg8hchve9.chilecentral-01.azurewebsites.net/api/auth/refresh \
  --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI0MiIsImlhdCI6MTc0MjIwMDAwMCwiZXhwIjoxNzQ0NzkyMDAwfQ.def456'

{
  "success": true,
  "message": "Token refrescado con exito",
  "data": {
    "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI0MiIsImlhdCI6MTc0MjI4NjQwMCwiZXhwIjoxNzQyMzcyODAwfQ.ghi789"
  }
}

Build docs developers (and LLMs) love

Get started for freeTalk to us