Refresh tokens
Refresh tokens are credentials used to obtain access tokens. For more information, see RFC 6749.
When you redeem an authorization code for an access token, a refresh token is issued, too. Refresh tokens are valid for 365 days by default, and access tokens are valid for 7 days; see Token Lifetime. After a refresh token expires, the user needs to reauthorize the application.
Any time during the validity of the refresh token, you can refresh your access token. The new access token will be valid for 7 days from the time of issue.
For get access token v2, no new refresh token is issued for a new authorization request if there's already an existing active refresh token. Instead, that refresh token will be returned and the original refresh token expiry won't be changed.
get access token v3, in contrast, issues a new refresh token with a successful new authorization request.
Step 1 - Getting an access and refresh token
Follow the Authorization Code Workflow to get an access and refresh token.
Step 2 - Refreshing an access token
There are two endpoints available to exchange a refresh token for a new access token:
For either, call the endpoint using your refresh token from step 1. The endpoint will return a new access token. get access token v3 differs from v2 in the following ways:
- In addition to the new access token, it will return a new refresh token for future use.
- If an expired or otherwise invalid refresh token is used, the currently active refresh token is revoked.
Reference documentation
Use grant_type=refresh_token
Sample Requests
get access token v2
POST /oauth2/token HTTP/1.1
Host: api.yelp.com
Content-Type: application/x-www-form-urlencoded
client_id={client_id}&
client_secret={client_secret}&
grant_type=refresh_token&
refresh_token={refresh_token_code}
The authorization server responds with a new access token with HTTP status code 200 if the token has been refreshed successfully:
{
"access_token": "<128_character_long_string>",
"token_type": "Bearer",
"expires_in": 10000,
"expires_on": "2016-08-26T15:25:16+00:00",
}
get access token v3
POST /oauth2/token/v3 HTTP/1.1
Host: api.yelp.com
Content-Type: application/x-www-form-urlencoded
client_id={client_id}&
client_secret={client_secret}&
grant_type=refresh_token&
refresh_token={refresh_token_code}
The authorization server responds with a new access token and refresh token with HTTP status code 200 if the token has been refreshed successfully:
{
"access_token": "<128_character_long_string>",
"token_type": "Bearer",
"expires_in": 10000,
"expires_on": "2016-08-26T15:25:16+00:00",
"refresh_token": "<128_character_long_string>",
"refresh_token_expires_in": 31535999,
"refresh_token_expires_on": "2025-10-11T23:23:10+00:00"
}
Updated about 2 months ago