WAPIsv2.0.0Authentication
Refresh
Obtain a new access token using a refresh token
Use a previously issued refresh_token to obtain a new access_token without re-authenticating with credentials.
The refresh_token remains valid for 6 hours after the associated access_token expires.
This endpoint issues OAuth bearer credentials only. It does not issue or rotate WAPI Keys.
Endpoint
POST /auth/tokens/refresh| Access | Requirement |
|---|---|
| Authenticated | No |
| Required Scope | None |
| Rate Limit | 5 requests per minute |
Request
Headers
| Header | Value |
|---|---|
Accept | application/json |
Body (form-data)
| Parameter | Type | Required | Description |
|---|---|---|---|
refresh_token | string | Yes | The refresh token from a previous Grant or Refresh response |
Notes:
- If the refresh token is structurally invalid or cannot be decrypted, the endpoint returns
401 Unauthorized. - If the refresh token is valid but the account is no longer allowed to use one or more embedded scopes, the backend revokes the newly issued access token and returns
403 Forbidden.
Responses
200 OK
{
"message": "OK",
"token_type": "Bearer",
"expires_in": 43200,
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOi...",
"refresh_token": "def50200..."
}| Field | Type | Description |
|---|---|---|
token_type | string | Always "Bearer" |
expires_in | integer | Token lifetime in seconds (43200 = 12 hours) |
access_token | string | New JWT access token |
refresh_token | string | New refresh token (previous one is invalidated) |
400 Bad Request
{
"message": "The refresh token field is required."
}401 Unauthorized
{
"message": "The refresh token is invalid."
}403 Forbidden
{
"message": "Forbidden"
}Example
curl -X POST https://ttsb.wipayfinancial.com/wapi/auth/tokens/refresh \
-H "Accept: application/json" \
-F "refresh_token=def50200..."