The Refresh Token

The Refresh Token is a long-lived token that enables your client-app to obtain a new Access Token (e.g. if the current Access Token expires, or is revoked).

When using a Refresh Token, the request must be authenticated by the Authorization Server. There are 2 ways to authenticate:

  1. Client Credentials: If the request includes the client_id and client_secret fields, it will be authenticated against those credentials.
  2. Taboola Backstage Session (Cookies): If the request is made via a browser, and the user is currently logged into the Backstage application, then the relevant session cookie will be used for authentication.

Request with Client Credentials

To refresh an Access Token, send a request in the following form:

POST /backstage/oauth/token
Host: https://backstage.taboola.com
Content-Type: application/x-www-form-urlencoded
refresh_token=[refresh_token]&
client_id=[client_id]&
client_secret=[client_secret]&
grant_type=refresh_token

Taboola Backstage Session (Cookies)

To refresh an Access Token, send a request in the following form:

POST /backstage/oauth/token
Host: https://backstage.taboola.com
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=[jsession_id]
refresh_token=[refresh_token]&
grant_type=refresh_token

πŸ“˜

Cookie Header

The Cookie header is added by the browser, without any special action on your part.

πŸ“˜

Form Data

In the first line under Form Data, replace [refresh_token] with your Refresh Token. (The second line of text should be left 'as is'.)

πŸ“˜

client_id

No client_id is required when refreshing a token with session-based authentication - it is inferred from the refresh_token.

Example response

The response will look similar to the response of a Password Authentication request:

{
   "access_token": "ab4Tk<saw\feaXcp53wF2ksasq12",
   "refresh_token": "dkjsERT\fck37dSFD<[email protected]",
   "token_type": "bearer",
   "expires_in": 3600
}