> ## Documentation Index > Fetch the complete documentation index at: https://help-plum.xoxoday.com/llms.txt > Use this file to discover all available pages before exploring further. # Refresh Token > Get a new access token using your refresh token. Every call issues a brand-new refresh token — the old one is immediately invalidated. Always persist the new refresh token from the response. ## Request Schema | **Parameter** | **Type** | **Required** | **Description** | | ------------------ | -------- | ------------ | ------------------------------------------------------------------------------------------ | | **grant\_type** | string | Yes | Must be `"refresh_token"` for this API. | | **refresh\_token** | string | Yes | The previously issued refresh token used to obtain a new access token. | | **client\_id** | string | Yes | The client identifier provided by Xoxoday. | | **client\_secret** | string | Yes | The client secret associated with the client ID. Used to authenticate the refresh request. | ## Response Schema | **Parameter** | **Type** | **Description** | | -------------------------- | -------- | -------------------------------------------------------------------------------------------- | | **access\_token** | string | Newly issued access token to be used for authenticated API calls. | | **token\_type** | string | Token type. Always `"bearer"`. | | **expires\_in** | number | Lifetime of the access token in seconds. | | **refresh\_token** | string | Newly issued refresh token. Use this to generate new access tokens when current one expires. | | **access\_token\_expiry** | string | Epoch timestamp (milliseconds) indicating expiry time of the access token. | | **refresh\_token\_expiry** | string | Epoch timestamp (milliseconds) indicating expiry of the refresh token. | > 📘 Learn how to manage your access and refresh tokens [here](https://developers.xoxoday.com/v1.2/docs/refresh-token-access-token). ## OpenAPI ````yaml specs/rewards-auth.yaml POST /token/user openapi: 3.0.3 info: title: Xoxoday Rewards API – Authentication version: '1.2' description: > Token management for the Rewards API. Both paths resolve correctly against the default server — no virtual paths needed. servers: - url: https://stagingstores.xoxoday.com/chef/v1/oauth description: Sandbox - url: https://accounts.xoxoday.com/chef/v1/oauth description: Production - url: https://canvas.xoxoday.com/chef/v1/oauth description: Testing security: - BearerAuth: [] tags: - name: Authentication paths: /token/user: post: tags: - Authentication summary: Refresh Token description: > Get a new access token using your refresh token. Every call issues a brand-new refresh token — the old one is immediately invalidated. Always persist the new refresh token from the response. operationId: refreshTokenRewards requestBody: required: true content: application/json: schema: type: object required: - grant_type - refresh_token - client_id - client_secret properties: grant_type: type: string enum: - refresh_token description: Must be `"refresh_token"`. refresh_token: type: string description: The previously issued refresh token. client_id: type: string description: Client identifier provided by Xoxoday. client_secret: type: string description: Client secret associated with the client ID. example: grant_type: refresh_token refresh_token: XXXXXXXXX client_id: XXXXXXXXX client_secret: XXXXXXXXX responses: '200': description: New tokens issued successfully. content: application/json: schema: $ref: '#/components/schemas/TokenResponse' example: access_token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9... token_type: bearer expires_in: 1296000 refresh_token: dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4... access_token_expiry: '1718000000000' refresh_token_expiry: '1720000000000' '401': $ref: '#/components/responses/Unauthorized' security: [] components: schemas: TokenResponse: type: object properties: access_token: type: string description: Newly generated access token. token_type: type: string example: bearer expires_in: type: number description: Lifetime of the access token in seconds. refresh_token: type: string description: Newly issued refresh token. Old one is immediately invalidated. access_token_expiry: type: string description: Epoch timestamp (ms) when the access token expires. refresh_token_expiry: type: string description: Epoch timestamp (ms) when the refresh token expires. responses: Unauthorized: description: Missing or invalid access token. content: application/json: schema: type: object properties: error: type: string example: Unauthorized securitySchemes: BearerAuth: type: http scheme: bearer description: '`Authorization: Bearer `' ````