POST /api/auth/refresh
Issue a new access token using a valid refresh token.
This endpoint issues a new access token using a refresh token stored in an HTTP-only cookie.
It allows clients to continue authenticated sessions without requiring the user to log in again.
When to use
- When an access token has expired
- When receiving a 401 response due to token expiration
Request
HTTP
POST /api/auth/refreshThis endpoint does not require a request body.
A valid refresh token must be present as an HTTP-only cookie.
Fetch / Axios
credentials: "include"Response
Success (200 OK)
Response
{
"success": true,
"data": {
"accessToken": "<new-access-token>"
}
}A new access token is returned. The refresh token may also be rotated depending on server configuration.
Errors
Missing or invalid refresh token (401)
Error
{
"success": false,
"message": "Invalid or expired refresh token"
}Rate limited (429)
Error
{
"success": false,
"message": "Too many requests"
}Notes
- Refresh tokens are stored securely as HTTP-only cookies
- This endpoint does not require an access token
- Clients should retry the original request after refreshing
Related APIs
- POST
/api/auth/login– Start a new session - POST
/api/auth/logout– End the session