Skip to content

Refresh a token

Access Tokens are short-lived and must be refreshed after they expire to continue accessing resources. You can refresh the access_token by submitting another POST request to the /token endpoint, but this time providing the refresh_token as the grant type.

In Trimble Identity, an access_token is valid for 1 hour, and Refresh Tokens are valid for 9 days. However, errors can occur when tokens expire, are revoked, or lack sufficient privileges. Please ensure application can address errors returned by the token issuance endpoint.

Example request

POST /token HTTP/1.1
Host: stage.id.trimblecloud.com
Authorization: Basic OGgxY...
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
grant_type=refresh_token&tenantDomain=trimble.com&refresh_token=f77a8...

Example response

{
  "scope": "openid",
  "token_type": "bearer",
  "expires_in": 3600,
  "refresh_token": "861e9...",
  "id_token": "eyJhbG...",
  "access_token": "8aca1..."
}
  • To decode and verify the TID JWT Token, refer to Decode JWT
  • API CALL:

    • POST {baseURL}/oauth/token
  • HEADER:

    • Authorization: Basic <Base64 encoded “ClientID:ClientSecret”>
    • Accept: application/json
  • REQUEST BODY

    • grant_type = refresh_token
    • refresh_token = {the refresh token generated during the last access token request}

The value of id_token is only returned if id_token was included in the response_type of the original /authorize request.

Refresh token grace period

Grace period feature replaces deletion of a refresh token being exchanged and instead sets an extension of one hour for the user to retry during loss of network.

The grace period is configurable at application level and requires an approval process from the product team. Kindly raise a ticket with our support team.

Format of refresh token configured with Grace period

dataRegion_newToken_rootToken

where

  • dataRegion - the geo-location of the user (US, EU, EU-GB, AP-AU).

  • newToken - current node token generated in the hierarchy after exchanging the rootToken or the parent token in the chain.

  • rootToken - the first token in the chain of hierarchy generated from authorization code grant.

The root token would own the hierarchy and thus its format would be dataRegion_rootToken_rootToken