What is a Refresh Token?
- Refresh Token is retrieved by the Client after successful Access Authorization flow
- Refresh Token is passed by the Client in Token Exchange call:
POST /authorize/token
or
POST /decoupled/token
to obtain a new Access Token after its duration has expired (after 3600 seconds) but within the time you set in your initial POST /authorize request ("duration" parameter value - in minutes)
- Refresh Token is long-lived (is valid as long as a consent given by Resource Owner) and can be used only once
- After Refresh Token expires, the authentication flow needs to be executed again from the start
- New Refresh Token is always issued together with the Access Token
- Refer also to:
How long is Access Token valid?
Corporate Access Authorization API
Access Token and Code, and Refresh Token - what are these? (Access Authorization API)
Connecting to API (Access Authorization API)
Redirect - Token exchange with the refresh token (Access Authorization API)
Redirect - Token Exchange (Access Authorization API)
Token Exchange (Access Authorization API)
You can also read more about the Refresh Token here.
FAQ
Q: I set up an authentication with the Corporate Access Authorization API. I am able to make authentication flows and generate tokens, but the validity is much shorter than I expect. I create an authorization flow like this:
{
"scope": ["ACCOUNTS_BROADBAND"],
"duration": 5000000,
"agreement_number": *****,
}
This is signed using Nordea ID and I get an authorization code. It's then used to generate a token at:
POST /corporate/v2/authorize/token
I can use the token to make some requests. However, in my next session, I am unable to generate a token. The authorization code returns 400 with 'Oauth code expired'. The refresh token I get in the previous session results in a similar error. I would expect that "duration": 5000000 would provide a code that can be used for several years. How do I setup a system where I do not need an app signature for every session? How can I make a code or token that can be reused for as long as the authorization session is valid?
A: Cross-session authorization is not possible and is not an intended functionality. Please only attempt to complete the authorization flow within the same session. The duration parameter can be used to set the overall duration of the authorization token, however it needs to be refreshed within the maximum duration using the refresh_token when the access_token loses its validity. The authorization code is the shortest living token serving only as a stepping stone between two joined requests, which should be completed in sequence to proceed obtaining the access_token. The code's duration cannot be extended and once expired, the entire authorization flow has to be restarted.