Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/viet2811/uk-travel-recommendation/llms.txt

Use this file to discover all available pages before exploring further.

Access tokens are deliberately short-lived — they expire after 15 minutes — to limit the window of exposure if one is intercepted. Rather than forcing users to re-enter their credentials every quarter of an hour, clients hold onto a long-lived refresh token (valid for 30 days) and silently exchange it for a fresh access token whenever the current one expires. This endpoint, provided by djangorestframework-simplejwt’s TokenRefreshView, performs that exchange. The refresh token itself is not rotated by default: the same refresh token can be used repeatedly until it expires or the user’s account is deactivated. No Authorization header is required — the refresh token is the sole credential.

Endpoint

MethodPOST
Path/api/user/token/refresh
Auth requiredNo
Content-Typeapplication/json

The refresh flow

Client                                    Server
  │                                          │
  │  ── POST /api/user/token/ ─────────────> │  (login once)
  │  <─ { access, refresh } ────────────────│
  │                                          │
  │  ── GET /api/... (Authorization: Bearer access) ──> │
  │  <─ 200 OK ─────────────────────────────│
  │                                          │
  │  [15 minutes pass — access token expires]
  │                                          │
  │  ── GET /api/... ──────────────────────> │
  │  <─ 401 Unauthorized ───────────────────│
  │                                          │
  │  ── POST /api/user/token/refresh ──────> │  (this endpoint)
  │     { "refresh": "<refresh_token>" }     │
  │  <─ { "access": "<new_access_token>" } ─│
  │                                          │
  │  ── GET /api/... (new access token) ───> │
  │  <─ 200 OK ─────────────────────────────│

Request Body

refresh
string
required
The refresh token obtained from the Login endpoint. The token must be valid and not yet expired (30-day lifetime). A token that has been tampered with or belongs to a deactivated account will be rejected with 401.

Responses

200 OK

Returned when the refresh token is valid. The response contains a new access token. The refresh token supplied in the request is not changed.
access
string
A freshly issued JWT access token. Valid for another 15 minutes from the time of issue. Replace the expired token stored on the client with this new value.
200 OK
{
  "access": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNzA5MDAwOTAwLCJpYXQiOjE3MDkwMDAwMDAsImp0aSI6Im5ld2p0aSIsInVzZXJfaWQiOjF9.newsignature"
}

401 Unauthorized

Returned when the refresh token is invalid, expired, or malformed.
401 Unauthorized
{
  "detail": "Token is invalid or expired",
  "code": "token_not_valid"
}
If the refresh token expires, the user must log in again. Refresh tokens last 30 days from the time of the original login. There is no mechanism to renew a refresh token without supplying credentials — once it is expired, redirect the user back to the login screen and call POST /api/user/token/ with their username and password to start a new session.

Examples

curl --request POST \
  --url http://localhost:8000/api/user/token/refresh \
  --header 'Content-Type: application/json' \
  --data '{
    "refresh": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
  }'
The TypeScript example above demonstrates a common pattern: an axios response interceptor that automatically retries a failed request with a refreshed access token whenever the server returns 401. This means the rest of your application code never needs to manually handle token expiry.

Build docs developers (and LLMs) love

Get started for freeTalk to us