Refresh tokens

Refresh tokens are credentials used to obtain access tokens. For more information see RFC 6749.

When you redeem an authorization code for an access token a refresh token is issued too. Refresh tokens are valid for 365 days by default, and access tokens 7 days, see Token Lifetime. After a refresh token expires the user needs to reauthorize the application, you can't refresh a refresh token.

Any time during the validity of the refresh token you can refresh your access token. The new access token will be valid 7 days from the time of issue.

Note that no new refresh token is issued for a new authorization request if there's already an existing active refresh token. Instead that refresh token will be returned and the original refresh token expiry won't be changed.

Step 1 - Getting an access and refresh token

Follow the Authorization Code Workflow to get an access and refresh token.

Step 2 - Refreshing an access token

Use the refresh token from step 1 to request a new access token by calling the get access token with your refresh token. The endpoint will return a new access token.

Reference documentation

Use grant_type=refresh_token

Sample Request

POST /oauth2/token HTTP/1.1
Host: api.yelp.com
Content-Type: application/x-www-form-urlencoded

client_id={client_id}&
client_secret={client_secret}&
grant_type=refresh_token&
refresh_token={refresh_token_code}

The authorization server responds with a new access token with HTTP status code 200 if the token has been refreshed successfully:

{
  "access_token": "<128_character_long_string>",
  "token_type": "Bearer",
  "expires_in": 10000,
  "expires_on": "2016-08-26T15:25:16+00:00",
}