Autional Autional
API Reference GitHub autional.com →

POST /oauth/refresh

OAuth 2.0 refresh token endpoint. Uses refresh_token to obtain a new access_token and refresh_token (rotation). Returns flat JSON (no code/message envelope). Reference: RFC 6749 §6 (Refreshing an Access Token).

OAuth None application/json

Request Body

Accepts an empty JSON object {}

Responses

StatusDescriptionSchema
200Refreshed tokens (includes new access_token and refresh_token)dto.OAuthTokenResponse
400invalid_request: request parameters missing or invalid. Reference: RFC 6749 §5.2.dto.OAuthErrorResponse
401invalid_grant: refresh_token invalid or expired. Reference: RFC 6749 §5.2.dto.OAuthErrorResponse

Referenced Schemas

dto.AuthorizationDetailDTO

FieldTypeRequiredExampleConstraintsDescription
actions array of

string

No ['["list_accounts"', '"read_balances"]'] Operation
constraints object No Extension constraints
data_types array of

string

No ['["account_details"', '"balances"]'] Data type
identifier string No account-12345 Identifier
locations array of

string

No ['["https://example.com/accounts"]'] Location
type string No account_information Grant type

dto.OAuthErrorResponse

OAuth standard error response

FieldTypeRequiredExampleConstraintsDescription
error string No invalid_request Error code
error_description string No Missing required parameter Error description
error_uri string No https://docs.example.com/errors Error URI
state string No state-123 Status

dto.OAuthTokenResponse

OAuth token response

FieldTypeRequiredExampleConstraintsDescription
access_token string No eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... Access token
authorization_details array of

See dto.AuthorizationDetailDTO

No RAR authorization details
dpop_access_token_bound boolean No Access token DPoP binding confirmation (RFC 9449)
dpop_signing_alg string No DPoP signing algorithm (RFC 9449)
expires_in integer No 3600 Expires in seconds
id_token string No eyJhbGci... OIDC ID token
refresh_token string No rt_abc123 Refresh token
scope string No openid profile email Scope
token_type string No Bearer Token type