Refresh Tokens

In this exercise you’ll learn how to obtain a refresh token and use it to get new access tokens.

The goal of this exercise is to get a refresh token and use the refresh token to get a new access token. We will be building on the previous exercise where you used the authorization code flow to get an access token.

You should already have created an application and completed the OAuth for Web Applications exercise before attempting this exercise.

Before the application is able to request a refresh token, you need to enable refresh tokens for this API. From the sidebar, navigate to Applications and click APIs. Find the API you created earlier, and enable the Allow Offline Access toggle.

Once this is enabled, applications will be able to request refresh tokens for this API.

Now you’re ready to start a new OAuth flow and request a refresh token. Build the authorization URL like you did before, but this time add the scope offline_access to the request.

Code Verifier

Save the Code Verifier and keep it secret, you won’t need that until the end.

Next, you need to create the Code Challenge, which is the Base64-URL-encoded SHA256 hash of the random string you generated. You can write code to do this yourself, or you can paste your random string into the field above, and click the Calculate Hash button below.

Code Challenge

Authorization Request

Create the initial URL for the authorization request and paste it above. Once it's correct, a "Log In" button with that URL will appear below

Token Response

Use the authorization code flow to get an access token, then paste the entire token response JSON here to check your work

Refresh Token Response

Use the refresh token to get a new access token, then paste the entire token response JSON here to check your work
Reset