Refresh
POST/auth/refresh
Rotate a refresh token and issue a new access token.
Validates the refresh token against the DB, atomically revokes
it, and returns a new access + refresh token pair. The previous
refresh token is immediately invalid — any replay attempt fails
with 401 invalid_token.
No Authorization header required; the refresh token itself
is the credential (carried in the request body).
Rate limit (SCRIFT-73): 60 requests/minute keyed by client IP. Per-IP (not per-user) is the correct key for a token- exchange endpoint - before the token is decoded the server does not know which user is calling, so a per-user key would be unreachable. Matches OWASP ASVS V11.1.4 and the Stripe / Auth0 / Keycloak token-endpoint pattern. 60/min comfortably accommodates the dashboard's 13-minute refresh-ahead cycle plus multi-tab users behind shared egress (corporate NAT, mobile carriers) while still blocking token-stuffing attempts.
Request
Responses
- 200
- 422
Successful Response
Validation Error