> ## Documentation Index > Fetch the complete documentation index at: https://help-plum.xoxoday.com/llms.txt > Use this file to discover all available pages before exploring further. # Refresh Token > Get a new access token using your refresh token. Every call issues a brand-new refresh token — the old one is immediately invalidated. Always persist the new refresh token from the response. > 📘 Learn how to manage your access and refresh tokens [here](https://developers.xoxoday.com/v1.2/docs/refresh-token-access-token). ## Request Schema | **Property** | **Type** | **Description** | | -------------- | -------- | -------------------------------------------------------------------- | | grant\_type | string | Must be `"refresh_token"` to indicate token regeneration. | | refresh\_token | string | The existing refresh token used to generate a new access token. | | client\_id | string | Client ID provided to you for authentication. | | client\_secret | string | Client secret used to authenticate and validate the refresh request. | ## Response Schema | **Property** | **Type** | **Description** | | -------------- | -------- | -------------------------------------------- | | access\_token | string | Newly generated access token. | | token\_type | string | Type of token issued (`bearer`). | | expires\_in | number | Access token validity duration (in seconds). | | refresh\_token | string | New refresh token issued to the user. | ## OpenAPI ````yaml specs/reward-link-api.yaml POST /token/user openapi: 3.0.3 info: title: Xoxoday Reward Link API version: '1.2' description: > APIs for automating reward distribution via personalized reward links and campaigns. **Auth endpoints** resolve against `https://stagingstores.xoxoday.com/chef/v1/oauth` using a per-operation server override. **Campaign + Link operations** use `https://stagingstores.xoxoday.com/chef/v1/oauth/api` as the base. `/generateLink` and `/sendLinks` have dedicated real paths. Campaign operations (`/campaignList`, `/campaignDetails`) use short virtual path suffixes because both operations share the same real URL (`/v1/oauth/api`) and OpenAPI does not allow two POST operations on the same path. servers: - url: https://stagingstores.xoxoday.com/chef/v1/oauth/api description: Sandbox - url: https://accounts.xoxoday.com/chef/v1/oauth/api description: Production - url: https://canvas.xoxoday.com/chef/v1/oauth/api description: Testing security: - BearerAuth: [] tags: - name: Authentication description: Token management — validate and refresh access tokens. - name: Campaigns description: Fetch reward link campaigns and their details. - name: Links description: Generate and send reward links to recipients. paths: /token/user: post: tags: - Authentication summary: Refresh Token description: > Get a new access token using your refresh token. Every call issues a brand-new refresh token — the old one is immediately invalidated. Always persist the new refresh token from the response. operationId: refreshToken requestBody: required: true content: application/json: schema: type: object required: - grant_type - refresh_token - client_id - client_secret properties: grant_type: type: string enum: - refresh_token description: Must be `"refresh_token"`. refresh_token: type: string description: >- The existing refresh token used to obtain a new access token. client_id: type: string description: Client ID provided to you for authentication. client_secret: type: string description: Client secret associated with the client ID. example: grant_type: refresh_token refresh_token: XXXXXXXXX client_id: XXXXXXXXX client_secret: XXXXXXXXX responses: '200': description: New tokens issued successfully. content: application/json: schema: $ref: '#/components/schemas/TokenResponse' example: access_token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9... token_type: bearer expires_in: 1296000 refresh_token: dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4... access_token_expiry: '1718000000000' refresh_token_expiry: '1720000000000' '401': $ref: '#/components/responses/Unauthorized' security: [] servers: - url: https://stagingstores.xoxoday.com/chef/v1/oauth description: Sandbox - url: https://accounts.xoxoday.com/chef/v1/oauth description: Production - url: https://canvas.xoxoday.com/chef/v1/oauth description: Testing components: schemas: TokenResponse: type: object properties: access_token: type: string description: Newly generated access token. token_type: type: string example: bearer expires_in: type: integer description: Access token validity in seconds. refresh_token: type: string description: New refresh token (old one is immediately invalidated). access_token_expiry: type: string description: Epoch timestamp (ms) when the access token expires. refresh_token_expiry: type: string description: Epoch timestamp (ms) when the refresh token expires. responses: Unauthorized: description: Missing or invalid access token. content: application/json: schema: type: object properties: error: type: string example: Unauthorized securitySchemes: BearerAuth: type: http scheme: bearer description: '`Authorization: Bearer `' ````