What is refresh_token in Refresh Token Api?

Help
,
1

What is refresh_token in Refresh Token Api?
refresh_token
REQUIRED The Refresh Token to use.

2

Hey, Thanks for reaching out. refresh_token is a grant type and also the value of refresh token which you can obtain using Get Refresh Token API Endpoint. Only then, you would be able to use this refresh token. Let me know if that clears.
Have a Nice day !

3

https://auth0.com/docs/api/authentication#refresh-token

I am confused. I was checking above end point and it has refresh_token as parameter though api call itself is to get refresh token.

4

Thanks for replying. Yes that’s right. As mentioned in my earlier response, you need to obtain a refresh token to use one. It has to be obtained during Authorization call by using the scope offline_access along with other scopes.

Once you get the value, you would be able to use in Authentication API Explorer

Let me know in case of any queries.

Thanks.

5

Ok, So you saying during login i received one token, i need to send that token here in refresh token parameter.

Correct me if my understanding is wrong?

I have one more question i will have custom signup and login, So below end points i will use.
https://auth0.com/docs/api/authentication#signup
https://auth0.com/docs/api/authentication#resource-owner-password

But now the problem is after signup when i do login without verifying email i am not getting any error. So is there any other api to check if user verified email?

6

Yes. your understanding is right. Please make sure you have modified scope in /authorize call, get the refresh_token value and use it in the other API call.

We unfortunately do not have an out-of-the-box way to prevent the creation of a user profile until an email is verified. I believe the best way to handle a scenario like this would be for your app to check for users with email_verified: false and if their created_at is too far in the past, then delete that user. You could also have your app notify users they have a certain amount of time to verify their email and then delete the account if they do not within the time limit.

Let me know if that works.

Thanks !!

7

Sorry, i am not sure what you meant by “Please make sure you have modified scope in /authorize call.” ?

Also, after signup we will allow user to do login in our app, so there is no way to stop him by saying ur email is not verified yet?

8

BTW refresh token end point is giving below error.
[size=81 text={“error”:“invalid_grant”,“error_description”:"Unknown or invalid…]
Below are the parameters:
grant_type=“refresh_token”
client_id={yourClientId}
client_secret=YOUR_CLIENT_SECRET
refresh_token= Token received from login api.

10

Can you send the results from login API? Also did you add scope:offline_access in your /authorize call to receive the refresh_token value?

Thanks

11

Response of Login:
{“access_token”:“eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwiaXNzIjoiaHR0cHM6Ly9kZXYtdTVlanFyNjJwMTBrMWs4aC5hdS5hdXRoMC5jb20vIn0…_G4wKePgpOPNtZl8.2gP4wv0TDOTy7o8ypHYWYG9QyvykLoLgQV3036TOaUJl3vdneah_uAPOd94ISA5-V_fCiSI0d_Lbt-mdYz6PzFYpv5D3PiBRcpZRM5ahAw9dZSTEOyhGAEwnPyRR8G2Cv0bETwSNnSJM8dG5ESXJERWL5PJ8WrkGKne9ZQQc-CDx5DlqntvOIzQWqJ601Fb9tlp2ECMw0S3SKImpQgJchb2Ke7JGZ7mP93wR3XO7kKMfWkn-zxsqkVRMZS25BaFp27xnFT9mB6wbI5oMsbV1lL7s6VaScg40Q5Riou7KcUgPQlVhwW5Lea4C-sfrE5R8JF1ih6t6LjCz3SMF9vhokqrCp_1I18sgRNdFhPHbD7h8UsAkV2mPsfluL8rnLkNIBw.Ii1YZThJ9bzI2kGxCwn4yg”,“id_token”:“eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InRwUnh4Ym5pcHJBVlJpclAyNjVuSyJ9.eyJuaWNrbmFtZSI6InBqMjEwNDkzIiwibmFtZSI6InBqMjEwNDkzQGdtYWlsLmNvbSIsInBpY3R1cmUiOiJodHRwczovL3MuZ3JhdmF0YXIuY29tL2F2YXRhci82NDgzMGJiNDE4MzE3MzkzOTAyY2U4ODlhYTE0M2EyZT9zPTQ4MCZyPXBnJmQ9aHR0cHMlM0ElMkYlMkZjZG4uYXV0aDAuY29tJTJGYXZhdGFycyUyRnBqLnBuZyIsInVwZGF0ZWRfYXQiOiIyMDI0LTAxLTEzVDAyOjA4OjA1LjQ4OVoiLCJlbWFpbCI6InBqMjEwNDkzQGdtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiaXNzIjoiaHR0cHM6Ly9kZXYtdTVlanFyNjJwMTBrMWs4aC5hdS5hdXRoMC5jb20vIiwiYXVkIjoiY2xSaTNpYWkyOVZ1bjdndTdXd0NkS1hhMHVSSnViTGQiLCJpYXQiOjE3MDUxMTE2ODUsImV4cCI6MTcwNTE0NzY4NSwic3ViIjoiYXV0aDB8NjU5Y2FhNWIzMGM1NTkzZTJjMWQ0M2ZhIn0.rC4flvu-ehs_9RqZzg5IAIWbOF5WeXpu-e2d4bGoWL4UcHRD8P4c50zX_PO4SAX9lADZyDqizDjB63cOc_nqJfLuzEj_1k-gCE55nKCVYFG8AHkiSGV2GyOymqeRBoNQp2exumQ_BjjKJPKh-EVDlOsCkWidO3AWyXoclxmz56hTEVr7wlmpEVCi8rBB-1Xln7pyt0-QQJNMLQ9LtMJB2ADpdGOBxApWXC5QpNrRTapGYdl-_kdcBOTkkoZHYFuh3xfjo5tUTzZ8PuMMfIFzcnnM5Oe8-NrXjyxSrcy2yy_gLKXksO5hxLIRu-hAEpW7pzwUUEbqW5GdS7JZrHQhkQ”,“scope”:“openid profile email address phone”,“expires_in”:86400,“token_type”:“Bearer”}

12

https://auth0.com/docs/api/authentication#resource-owner-password
This i have followed for login.

https://auth0.com/docs/api/authentication#refresh-token
This one i have followed for refresh token.

13

Hi. Thanks for the reply.

As you can see in response, you didnt get the refresh token in your response without which you cannot get the value in your response.

Before trying, I would suggest you to complete below prerequisites.

  1. Enable refresh token as grant type in Dashboard → Application → Advanced Settings

image
image1664×528 39.3 KB

  1. Add offline_access as one of the scopes in login API.

  2. Get refresh_token value from the response.

  3. Fetch the value and use it in your use case accordingly.

Thanks,
Gautham

14

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.