Documentation

Refresh tokens

In this article

In this article, you'll learn how to extend active sessions for the Data API by refreshing tokens.

Robert van Boesschoten

Published: 19-06-2020

Last updated: 19-06-2020

Requesting data through the Data API can be available to everyone (public data) or only to authorized users (private data). For the second group, an active session is required. With the new Refresh token flow for the Data API, users can extend their active sessions, instead of starting a new one.  

DataAPI consumers with JWT, can now use a refresh token flow to extend the access token expiration, instead of having to login again every time a JWT is expired.

Refresh token

The login mutation has been updated to return a refreshToken:

mutation login{
     login(username: "<username>", 
     password: "<password>", 
     authProfileUuid: "<authProfileUuid>"){
         isValid
         jwtToken
         refreshToken
     }
}

This token can be used in a new mutation refreshToken with the purpose of extending your login by returning a new access token jwtToken. Be aware, that for security reasons the refreshToken can only be used once, and the user will receive a new one after the mutation has been completed:

mutation refresh{
     refreshToken(token: "<refreshToken>") {
         isValid
         jwtToken
         refreshToken
         refreshExpiresIn
     }
}


 
Revoking a token

A refreshToken can be also revoked at any time, using the revokeRefreshToken mutation:

mutation revoke{
     revokeRefreshToken(token: "<refreshToken>"){
         removed
         refreshId
     }
}

In this article