Skip to main content

 

Documentation & User Guides | FotoWare

Refreshing Tokens

Refreshing Tokens

Access tokens have limited and usually very short lifetime. This is for reasons of security and performance. After an access token has expired, the client has to request a new one to continue using the FotoWeb API. This can be done in two ways:

  • Repeat the authorization process.
  • Request a new access token using a refresh token.

Refresh tokens may be obtained together with access tokens if authorization code grant type is used. Refresh tokens are not available when using implicit grant type.

A new access token is requested using a refresh token as follows:

POST https://myfotowebserver.com/fotoweb/oauth2/token
Content-Type: application/x-www-form-urlencoded
Accept: application/json


grant_type=refresh_token&refresh_token=REFRESH_TOKEN&client_id=CLIENT_ID&client_secret=CLIENT_SECRET

where

Parameter

Description

grant_type REQUIRED. Must always be refresh_token.
client_id REQUIRED. The unique ID of the client, which was obtained during client registration.
client_secret

The secret of the client, which was obtained during client registration.

REQUIRED if the client is a web application (was registered with a client secret).

MUST NOT BE GIVEN if the client is a native application or single-page application (was registered without a client secret).

refresh_token REQUIRED. The refresh token obtained during authorization.

On success, the server responds as follows:

200 OK
Content-Type: application/json

with the following response body:

{
  "access_token": ACCESS_TOKEN,
  "token_type": "bearer",
  "expires_in": EXPIRES_IN_SECONDS,
  "refresh_token": REFRESH_TOKEN
}

where

Parameter

Description

access_token The access token that is used to authorize requests to the FotoWeb API 
token_type This is always bearer.
expires_in Number of seconds after which the token is expected to expire.
refresh_token

OPTIONAL: A new refresh token.

The application can obtain the access token by parsing the response body.

If FotoWeb issues a new refresh token in the response, then the old refresh token (i.e., the one used in the request) is no longer valid.

It is unspecified whether and when FotoWeb will issue new refresh tokens when they are used to request new access tokens, so the client MUST support this case, even if it appears that FotoWeb does not issue new refresh tokens.