are used to request a new and/or for a user without requiring them to re-authenticate. Typically, you should request a new access token before the previous one expires (to avoid any service interruption), but not every time you call an API, as token exchanges are subject to our Rate Limiting Policy. You may also use a refresh token to request a new ID token for a user, and should do so if you need to refresh the claims within the ID token.

Call the API

To exchange the refresh token you received during authentication for a new access token, call the Auth0 Authentication API Get token endpoint in the Authentication API. To learn more about the authentication methods available for the Authentication API, read Authentication Methods.

Use Basic authentication

curl --request POST \
  --url 'https://{yourDomain}/oauth/token' \
  --header 'authorization: Basic {yourApplicationCredentials}' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=refresh_token \
  --data 'client_id={yourClientId}' \
  --data 'refresh_token={yourRefreshToken}'

Use Post authentication

curl --request POST \
  --url 'https://{yourDomain}/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=refresh_token \
  --data 'client_id={yourClientId}' \
  --data 'client_secret={yourClientSecret}' \
  --data 'refresh_token={yourRefreshToken}'

Parameter definition

ParameterDescription
grant_typeType of grant to execute.
client_idApplication’s client ID.
client_secret(Optional) Application’s client secret. Only required for confidential applications using the Post token authentication method.
refresh_tokenRefresh token to exchange.
The response will include a new access token, its type, its lifetime (in seconds), and the granted scopes. If the scope of the initial token included openid, then a new ID token will be in the response as well. 
{
      "access_token": "eyJ...MoQ",
      "expires_in": 86400,
      "scope": "openid offline_access",
      "id_token": "eyJ...0NE",
      "token_type": "Bearer"
    }

Bypass MFA

If Multi-factor Authentication (MFA) is enabled and the refresh token exchange flow fails, you can use the below Action code to bypass the logic: 
exports.onExecutePostLogin = async (event, api) => {
  // This action will allow you to bypass the MFA logic for the refresh token exchange flow.

  if (event.transaction.protocol === "oauth2-refresh-token") {
    return;
  }

  //  Add your MFA logic
  //  For example: api.multifactor.enable("any");
};
You can customize the code example when separate logic needs to be executed or bypassed depending on the current flow or protocol.

Learn more