Access Token Refresh Flow


This process assumes that the user completed the authentication flow (Login Flow plus Access Token Flow) previously in the past, and that it stored the “next login key” somewhere in the application. Now, this next login token can be used to ask for a new access token.

The user’s device, probably after a request whose response indicated that the access token had expired, just needs to send a POST /pwless/access request to the server, including the email address, the signed next login key and the device identifier. It’s essentially the same process that an initial login, but skipping the first step.

Of course, if the device has no access to the next login token, the whole login flow will be needed, starting with the login request. If the operation succeeds, the server issues a new access token and sends an OK (200) response back to the user with the new access token and the following next login token.

As the login_token entries are associated to a specific device and its pair of keys, login attempts on other devices have no effect in the process of refreshing the access token for that device.

Request and Response

POST /pwless/access
   “email”: “”,
   “key_id”: 382739283,
   “login_token_signed”: “a978s87dnacfs78nh8asvn37dn0v7”   

Response: 200 OK
   “success”: true,
   “code”: “success”,
   “user”: { “id”: 23482732, “email”: “” },
   “key”: { “id”: 382739283, “key_type”: “ec”, “key_length”: 256, ... },
   “auth”: {
      “access_token”: “2372c39rndf7sbvldkfhbva83v938”,
      “expires”: “2016-04-21T11:35:21.000Z”,
      “next_login_token”: “7fvy4n98avawd0a7a0w38v0a9w83uv”
Back to Flows

Want to know more? Join our newsletter.

Find us on Facebook

We are also on Twitter

Oh, and on Github too