Important
You are browsing documentation for version 5.1 of OroCommerce, supported until March 2026. Read the documentation for version 6.0 (the latest LTS version) to get up-to-date information.
See our Release Process documentation for more information on the currently supported and upcoming releases.
Password Grant Type: Refresh Token
When the access token expires, you can retrieve the new one with the refresh token. It applies only to the OAuth applications with the Password grant type. The main advantage of using the refresh token is that you do not need to pass login and password every time you request data.
Follow the next steps to get a new token:
Provide your Request URL.
The Request URL consists of your application URL and the /oauth2-token slug, e.g., https://yourapplication/oauth2-token`
Specify the content-type in headers:
Content-Type: application/json
Send a POST request with the following body parameters to the authorization server:
grant_type with the value
refresh_token
client_id with the client identifier
client_secret with the client’s secret. Can be skipped for public clients
refresh_token with the refresh token that was returned with an access token
Receive response from the authorization server with a JSON object containing the following properties:
token_type with the value
Bearer
expires_in = 3600 seconds. Once the token is generated, it is valid for an hour and can be used multiple times within this time limit to request the necessary data. Expiration time can by configured in config/config.yml of your application
access_token - a new access token
refresh_token - a new refresh token used to request a new token when the access_token expires
Use the generated access token to make requests to the API.
Example
Request
POST /oauth2-token HTTP/1.1
Content-Type: application/json
Request Body
{
"grant_type": "refresh_token",
"client_id": "your client identifier",
"client_secret": "your client secret",
"refresh_token": "your refresh token was returned with an access token"
}
Response Body
{
"token_type": "Bearer",
"expires_in": 3600,
"access_token": "your new access token",
"refresh_token" "your new refresh token"
}
If your refresh token expires, send a request to the access token with Password grant type to get new access and refresh tokens.