> ## Documentation Index
> Fetch the complete documentation index at: https://docs.timbrix.mx/llms.txt
> Use this file to discover all available pages before exploring further.

# Refresh OAuth Token

> 🔓 PUBLIC ENDPOINT: Exchanges a refresh token for a new access token and refresh token pair. The old refresh token is automatically revoked. Rate limit: 20 requests per minute.

Exchanges a refresh token for a new access token and refresh token pair. The old refresh token is automatically revoked.

<Warning>
  This is a **PUBLIC ENDPOINT** (no authentication required). Rate-limited to
  **20 requests per minute**.
</Warning>

## Request Body

| Field          | Type   | Required | Description                         |
| -------------- | ------ | -------- | ----------------------------------- |
| `refreshToken` | string | Yes      | Refresh token from token generation |

## Example Request

```bash theme={null}
curl -X POST http://localhost:3001/api/oauth/token/refresh \
  -H "Content-Type: application/json" \
  -d '{
    "refreshToken": "rt_abc123xyz..."
  }'
```

## Example Response

```json theme={null}
{
  "access_token": "eyJhbGciOiJIUzI1NiIs...",
  "refresh_token": "rt_new_refresh_token...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "read:user read:organization"
}
```

## Token Rotation

When you refresh a token:

* Old refresh token is **immediately revoked**
* New access token and refresh token are issued
* Use the new refresh token for future refreshes
* Old refresh token cannot be reused

## Best Practices

* Refresh tokens before they expire
* Store new refresh tokens securely
* Handle token refresh errors gracefully
* Implement automatic token refresh in your client

## Common Errors

### 400 Bad Request

Invalid request. Refresh token is required.

### 401 Unauthorized

Invalid or expired refresh token. The refresh token may have been used already or has expired.

### 429 Too Many Requests

Rate limit exceeded. Maximum 20 requests per minute for token refresh.


## OpenAPI

````yaml POST /oauth/token/refresh
openapi: 3.1.0
info:
  title: Timbrix API
  description: >-
    REST API with OAuth2 server for managing organizations, members, and
    webhooks
  version: '1.0'
  contact: {}
servers:
  - url: http://sandbox.mintlify.com
    description: Sandbox environment
  - url: http://localhost:3001/api
    description: Local development
security: []
tags:
  - name: organizations
    description: Organization management endpoints
  - name: oauth
    description: OAuth2 authentication and authorization
  - name: webhooks
    description: Webhook configuration and delivery
  - name: users
    description: User information endpoints
  - name: api-keys
    description: API Keys management and validation
paths:
  /oauth/token/refresh:
    post:
      tags:
        - oauth
      summary: Refresh OAuth access token
      description: >-
        🔓 PUBLIC ENDPOINT: Exchanges a refresh token for a new access token and
        refresh token pair. The old refresh token is automatically revoked. Rate
        limit: 20 requests per minute.
      operationId: OAuthController_refreshToken
      parameters: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/RefreshTokenDto'
      responses:
        '201':
          description: >-
            Token refreshed successfully. Returns new access_token,
            refresh_token, token_type (Bearer), expiration time, and scopes.
        '400':
          description: Invalid request. Refresh token is required.
        '401':
          description: >-
            Invalid or expired refresh token. The refresh token may have been
            used already or has expired.
        '429':
          description: >-
            Rate limit exceeded. Maximum 20 requests per minute for token
            refresh.
components:
  schemas:
    RefreshTokenDto:
      type: object
      properties:
        refreshToken:
          type: string
          description: Refresh token obtained from token generation
          example: rt_abc123xyz...
      required:
        - refreshToken

````