Refresh tokens

Refresh tokens are used to generate additional access tokens. A refresh token is returned with the access token when exchanging an authorization code as part of the two-step and three-step OAuth processes, and it can be used as long as the access token remains active.

The new access tokens can have the same expiration and scopes as the original access token, or can be specified to have a shorter lifespan as well as a smaller subset of scopes from the original access token. New access tokens can be generated in order to replace the original token or generated to serve as an additional token.

We suggest using refresh tokens in the following conditions:

  • Replacing access tokens that may have been compromised (be sure to revoke the original access token); 
  • Giving a third party that is also a part of your ORCID integration more limited access and/or access for a limited time.

Parameters for generating a new access token from a refresh token

Bearer Header Original access token Optional
refresh_token Refresh token Required
client_id Your client iD Required
client_secret Your client secret Required
grant_type refresh_token Required
redirect_uri The redirect uri used with the original token Optional
scope Scopes to include on the new token. Must match or be a subset of the scopes on the original token. Optional; all scopes on the original token will be added to the new token by default.
expires_in The time in seconds the new token will last. Must match or be less than the original token. Optional; new tokens will have the same expiry as the original token by default.
revoke_old true or false Optional; the original access token is simultaneously revoked upon creation of the new token by deault.



An example refresh call:

curl -i -L -k -d "refresh_token=80bf9e0a-39d2-4ac0-ac03-a82a629862bb" -d "grant_type=refresh_token" -d "client_id=APP-NPXKK6HFN6TJ4YYI" -d "client_secret=060c36f2-cce2-4f74-bde0-a17d8bb30a97" -d "scope=/read-limited" -d "expires_in=631136518" -d "revoke_old=false"