In this exercise you’ll learn how to obtain a refresh token and use it to get new access tokens.
The goal of this exercise is to get a refresh token and use the refresh token to get a new access token. We will be building on the previous exercise where you used the authorization code flow to get an access token.
You should already have created an application and completed the OAuth for Web Applications exercise before attempting this exercise.
Before the application is able to request a refresh token, you need to enable refresh tokens for this API. From the sidebar, navigate to Applications and click APIs. Find the API you created earlier, and enable the Allow Offline Access toggle.
Once this is enabled, applications will be able to request refresh tokens for this API.
Now you’re ready to start a new OAuth flow and request a refresh token. Build the authorization URL like you did before, but this time add the scope
offline_access to the request.
Save the Code Verifier and keep it secret, you won’t need that until the end.
Next, you need to create the Code Challenge, which is the Base64-URL-encoded SHA256 hash of the random string you generated. You can write code to do this yourself, or you can paste your random string into the field above, and click the Calculate Hash button below.