The Refresh Token is a long-lived token that enables your client app to obtain a new Access Token without the userβs interaction (e.g. if the current Access Token expires).
When submitting a Refresh Token, the Authorization Server needs to authenticate the request. There are 2 ways to authenticate:
- Client Credentials: If the request includes the
client_idandclient_secretfields, it will be authenticated against those credentials. - Taboola Backstage Session (Cookies): If the request is made via a browser, and the user is currently logged into the Backstage application, then the relevant session cookie will be used for authentication.
Submit a Refresh Token with Client Credentials
To refresh an Access Token, send a request in the following form:
POST /backstage/oauth/token
Host: https://backstage.taboola.com
Content-Type: application/x-www-form-urlencoded
refresh_token=[refresh_token]&
client_id=[client_id]&
client_secret=[client_secret]&
grant_type=refresh_token
Submit a Refresh Token with a Session Cookie
To refresh an Access Token, send a request in the following form:
POST /backstage/oauth/token
Host: https://backstage.taboola.com
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=[jsession_id]
refresh_token=[refresh_token]&
grant_type=refresh_token
Cookie Header
The
Cookieheader is added by the browser, without any special action on your part.
Form Data
In the first line under Form Data, replace
[refresh_token]with your Refresh Token. (The second line of text should be left 'as is'.)
client_id
No
client_idis required when refreshing a token with session-based authentication - it is inferred from therefresh_token.
Example response
The response will look similar to the response of a Password Authentication request:
{
"access_token": "ab4Tk<saw\feaXcp53wF2ksasq12",
"refresh_token": "dkjsERT\fck37dSFD<skjw@sddso",
"token_type": "bearer",
"expires_in": 3600
}