Refresh access and refresh tokens
POST/api/auth/refresh
Issues new tokens using the refresh token from the httpOnly cookie or the request body. The new refresh token is also set as a cookie. Both tokens are rotated on each call: the old refresh token is blacklisted and a new access/refresh pair is issued. The session accessExpiresAt is extended by another 30 minutes. The refresh endpoint queries the database directly (not the Redis cache) and only checks refreshExpiresAt, so an expired access token is expected and valid during refresh. New access token expires in 30 minutes; new refresh token expires in 7 days.
Request
Responses
- 200
- 400
- 401
- 429
- 500
Tokens refreshed successfully
Refresh token not provided
Refresh token is invalid or expired
Too many token refresh attempts, please try again later
Server error