> ## Documentation Index > Fetch the complete documentation index at: https://help-plum.xoxoday.com/llms.txt > Use this file to discover all available pages before exploring further. # Refresh Token > Get a new access token using your refresh token. Every call issues a brand-new refresh token — the old one is immediately invalidated. Always persist the new refresh token from the response. > 📘 Learn how to manage your access and refresh tokens [here](https://developers.xoxoday.com/v1.2/docs/refresh-token-access-token-copy). ## Request Schema | **Property** | **Type** | **Description** | | -------------- | -------- | -------------------------------------------------------------------- | | grant\_type | string | Must be `"refresh_token"` to indicate token regeneration. | | refresh\_token | string | The existing refresh token used to generate a new access token. | | client\_id | string | Client ID provided to you for authentication. | | client\_secret | string | Client secret used to authenticate and validate the refresh request. | ## Response Schema | **Property** | **Type** | **Description** | | -------------- | -------- | -------------------------------------------- | | access\_token | string | Newly generated access token. | | token\_type | string | Type of token issued (`bearer`). | | expires\_in | number | Access token validity duration (in seconds). | | refresh\_token | string | New refresh token issued to the user. | ## OpenAPI ````yaml specs/reward-points-api.yaml POST /token/company openapi: 3.0.3 info: title: Xoxoday Reward Points API version: '1.2' description: > APIs for sending, fetching, and cancelling reward points in the Xoxoday ecosystem. **Auth endpoints** use operation-level server overrides against `https://stagingstores.xoxoday.com/chef/v1/oauth`. **Points operations** (`/fetchPoints`, `/sendPoints`, `/cancelPoints`) are virtual path suffixes — all three really dispatch to `POST /v1/oauth/api` via the body `query` field. OpenAPI does not allow two POST operations on the same path, so virtual suffixes are used for playground differentiation. **Cancel Points** uses `accounts.xoxoday.com` as its real host (operation-level server override applied). servers: - url: https://stagingstores.xoxoday.com/chef/v1/oauth/api description: Sandbox - url: https://accounts.xoxoday.com/chef/v1/oauth/api description: Production - url: https://canvas.xoxoday.com/chef/v1/oauth/api description: Testing security: - BearerAuth: [] tags: - name: Authentication description: Token management — validate, refresh, and create user tokens. - name: Points description: Send, fetch, and cancel reward points. paths: /token/company: post: tags: - Authentication summary: Refresh Token description: > Get a new access token using your refresh token. Every call issues a brand-new refresh token — the old one is immediately invalidated. Always persist the new refresh token from the response. operationId: refreshTokenPoints requestBody: required: true content: application/json: schema: type: object required: - grant_type - refresh_token - client_id - client_secret properties: grant_type: type: string enum: - refresh_token description: Must be `"refresh_token"`. refresh_token: type: string description: >- The existing refresh token used to obtain a new access token. client_id: type: string description: Client ID provided to you for authentication. client_secret: type: string description: Client secret associated with the client ID. example: grant_type: refresh_token refresh_token: XXXXXXXXX client_id: XXXXXXXXX client_secret: XXXXXXXXX responses: '200': description: New tokens issued successfully. content: application/json: schema: $ref: '#/components/schemas/TokenResponse' example: access_token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9... token_type: bearer expires_in: 1296000 refresh_token: dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4... access_token_expiry: 1718000000000 refresh_token_expiry: 1720000000000 '401': $ref: '#/components/responses/Unauthorized' security: [] servers: - url: https://stagingstores.xoxoday.com/chef/v1/oauth description: Sandbox - url: https://accounts.xoxoday.com/chef/v1/oauth description: Production - url: https://canvas.xoxoday.com/chef/v1/oauth description: Testing components: schemas: TokenResponse: type: object properties: access_token: type: string description: Newly generated access token. token_type: type: string example: bearer expires_in: type: integer description: Access token validity in seconds. refresh_token: type: string description: New refresh token (old one is immediately invalidated). access_token_expiry: type: number description: Epoch timestamp (ms) when the access token expires. refresh_token_expiry: type: number description: Epoch timestamp (ms) when the refresh token expires. responses: Unauthorized: description: Missing or invalid access token. content: application/json: schema: type: object properties: error: type: string example: Unauthorized securitySchemes: BearerAuth: type: http scheme: bearer description: '`Authorization: Bearer `' ````