Skip to main content
POST
/
api
/
auth
/
refresh
Refresh session tokens
curl --request POST \
  --url https://your-instance.example.com/api/auth/refresh \
  --header 'Content-Type: application/json' \
  --data '
{
  "refreshToken": "rt_5f7b1c2e8a1d4e0012c3b4a5e6f7a8b9c0d1e2f3a4b5c6d7e8f9"
}
'
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI1Zjdi...",
  "socketToken": "st_eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refreshToken": "rt_64d2f9c5e8a1d4e001a0b1c2e6f7a8b9",
  "sessionConfig": {
    "enabled": true,
    "idleTimeoutMinutes": 30
  },
  "user": {
    "id": "5f7b1c2e8a1d4e0012c3b4a5",
    "email": "admin@acme.example",
    "organizationId": "64a1b2c3d4e5f60012345678",
    "accessRole": "ADMIN"
  }
}

Body

application/json
refreshToken
string
required

Raw refresh token previously returned by login/refresh; consumed and rotated server-side. Expired or unknown tokens return 401.

Response

Token refreshed

Refresh-token rotation envelope. Adds socketToken for re-authenticating the realtime socket alongside the new HTTP tokens.

token
string
required
socketToken
string
required
refreshToken
string
required
sessionConfig
object
required

Resolved session configuration returned alongside tokens. Mirrors the org-level idle-timeout / SSO renewal policy so the client can enforce it.

Example:
{
  "enabled": true,
  "idleTimeoutMinutes": 30,
  "tokenExpiryHours": 8,
  "warningTimeMinutes": 2,
  "idleTrackingEnabled": true,
  "ssoSilentRenewalEnabled": true,
  "ssoFallbackBehavior": "redirect",
  "passwordSilentRenewalEnabled": false,
  "passwordFallbackBehavior": "logout"
}
user
object
required

Compact User payload returned with auth tokens.

Example:
{
  "id": "5f7b1c2e8a1d4e0012c3b4a5",
  "email": "admin@acme.example",
  "fullName": "Acme Admin",
  "organizationId": "64a1b2c3d4e5f60012345678",
  "accessRole": "ADMIN",
  "conversationOpenPreference": "split"
}