Skip to main content
POST
/
v1
/
keys.refresh
Typescript (SDK)
import { Autumn } from 'autumn-js'

const autumn = new Autumn()

const result = await autumn.keys.refresh({});
{
  "access_token": "am_jwt_eyJhbGciOiJIUzI1NiJ9...",
  "refresh_token": "am_jwt_eyJhbGciOiJIUzI1NiJ9...",
  "expires_at": 1781113864000,
  "refresh_expires_at": 1781196664000
}
Exchanges a refresh token for a freshly rotated access + refresh pair. Self-service for the token holder — no secret key required. Send the refresh token as the Bearer credential.

How it works

The just-replaced refresh token is honored for one more rotation (a grace window so a dropped response or a second app instance doesn’t lock the customer out). Replaying a refresh token that is more than one generation old is treated as theft and revokes the customer’s tokens. 
// Client configured with the refresh token as its key
import { Autumn } from "autumn-js";

const autumn = new Autumn({
  secretKey: JWT_REFRESH_TOKEN,
});

const { accessToken, refreshToken } = await autumn.keys.refresh({});

Response

{
  "access_token": "am_jwt_eyJhbGciOiJIUzI1NiJ9...",
  "refresh_token": "am_jwt_eyJhbGciOiJIUzI1NiJ9...",
  "expires_at": 1781113864000,
  "refresh_expires_at": 1781196664000
}

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Headers

x-api-version
string
default:2.3.0
required

Body

application/json

No body. The refresh token is supplied as the Bearer credential; the response is a freshly rotated access + refresh pair.

Response

200 - application/json

OK

access_token
string
required

Access token (1h, or non-expiring if indefinite), prefixed am_jwt_.

expires_at
number | null
required

Access-token expiry, ms since epoch. null for indefinite tokens.

refresh_token
string

Rotating refresh token (24h). Omitted for indefinite tokens.

refresh_expires_at
number

Refresh-token expiry, ms since epoch. Omitted for indefinite tokens.