What is a Refresh Token?
- Refresh Token is retrieved by the Client after successful Access Authorization flow
- Refresh Token is passed by the Client in Token Exchange call:
to obtain a new Access Token after its duration has expired (after 3600 seconds) but within the time you set in your initial POST /authorize request ("duration" parameter value - in minutes)
- Refresh Token is long-lived (is valid as long as a consent given by Resource Owner) and can be used only once
- New Refresh Token is always issued together with the Access Token
- Please also refer to our detailed documentation:
You can also read more about the Refresh Token here.
Q: I set up an authentication with the Corporate Access Authorization API. I am able to make authentication flows and generate tokens, but the validity is much shorter than I expect. I create an authorization flow like this:
This is signed using Nordea ID and I get an authorization code. It's then used to generate a token at:
I can use the token to make some requests. However, in my next session, I am unable to generate a token. The authorization code returns 400 with 'Oauth code expired'. The refresh token I get in the previous session results in a similar error. I would expect that "duration": 5000000 would provide a code that can be used for several years. How do I setup a system where I do not need an app signature for every session? How can I make a code or token that can be reused for as long as the authorization session is valid?
A: Cross-session authorization is not possible and is not an intended functionality. Please only attempt to complete the authorization flow within the same session. The duration parameter can be used to set the overall duration of the authorization token, however it needs to be refreshed within the maximum duration using the refresh_token when the access_token loses its validity. The authorization code is the shortest living token serving only as a stepping stone between two joined requests, which should be completed in sequence to proceed obtaining the access_token. The code's duration cannot be extended and once expired, the entire authorization flow has to be restarted.