Skip to main content
POST
/
:projectId
/
api
/
v7
/
auth
/
request-new-access-token
Request Access Token
curl --request POST \
  --url https://api.replyke.com/api/v6/:projectId/api/v7/auth/request-new-access-token \
  --header 'Content-Type: application/json' \
  --data '
{
  "refreshToken": "<string>"
}
'
{
  "success": true,
  "accessToken": {},
  "refreshToken": "<string>",
  "user": {
    "id": "<string>",
    "foreignId": {},
    "role": "<string>",
    "email": {},
    "name": {},
    "username": {},
    "avatar": {},
    "bio": {},
    "metadata": {},
    "reputation": {},
    "isVerified": {},
    "isActive": {},
    "lastActive": {},
    "suspensions": [
      {}
    ],
    "avatarFile": {},
    "bannerFile": {},
    "authMethods": [
      "<string>"
    ],
    "createdAt": "<string>"
  }
}
Exchanges a valid refresh token for a new access token and a new refresh token. This endpoint implements refresh token rotation: every successful call revokes the current refresh token and issues a replacement. Reusing a revoked refresh token is detected as a potential replay attack and results in the entire token family being invalidated.

Body Parameters

refreshToken
string
The refresh token JWT. If omitted or null, the server returns 200 with { user: null, accessToken: null } — indicating no active session. The success and refreshToken fields are absent in this case.

Response

When a valid refresh token is provided, the response is:
success
boolean
true when a valid refresh token was provided and a new session was issued. This field is absent when no refresh token was submitted.
accessToken
string | null
New short-lived JWT access token. Expires in 30 minutes. null if no refresh token was provided.
refreshToken
string
New long-lived JWT refresh token (rotated). Expires in 30 days. This field is absent when no refresh token was provided.
user
object | null
The authenticated user’s full profile, or null if no refresh token was provided.

Token Rotation and Reuse Detection

Each call to this endpoint revokes the submitted refresh token and issues a new one. If the same refresh token is submitted again after being revoked:
  • Within 30 seconds of revocation (grace period): The server returns the successor token to handle concurrent requests gracefully.
  • After 30 seconds: The entire token family is destroyed and the user must sign in again.

Error Responses

{
  "error": "Refresh token does not match this project.",
  "code": "auth/refresh-token-project-mismatch"
}

{
  "error": "Refresh token not recognized.",
  "code": "auth/refresh-token-mismatch"
}

{
  "error": "Token reuse detected. All sessions in this family have been revoked.",
  "code": "auth/token-reuse-detected"
}

{
  "error": "Refresh token is expired or malformed.",
  "code": "auth/refresh-token-malformed"
}

{
  "error": "User not found.",
  "code": "auth/no-user-found"
}

See Also