Refresh tokens are used to generate additional access tokens. A refresh token is returned with the access token when exchanging an authorization code as part of the two-step and three-step OAuth processes, and it can be used as long as the access token remains active.
The new access tokens can have the same expiration and scopes as the original access token, or can be specified to have a shorter lifespan as well as a smaller subset of scopes from the original access token. New access tokens can be generated in order to replace the original token or generated to serve as an additional token.
We suggest using refresh tokens in the following conditions:
- Replacing access tokens that may have been compromised (be sure to revoke the original access token);
- Giving a third party that is also a part of your ORCID integration more limited access and/or access for a limited time.
Parameters for generating a new access token from a refresh token
|Bearer Header||Original access token||Optional|
|client_id||Your client iD||Required|
|client_secret||Your client secret||Required|
|redirect_uri||The redirect uri used with the original token||Optional|
|scope||Scopes to include on the new token. Must match or be a subset of the scopes on the original token.||Optional; all scopes on the original token will be added to the new token by default.|
|expires_in||The time in seconds the new token will last. Must match or be less than the original token.||Optional; new tokens will have the same expiry as the original token by default.|
|revoke_old||true or false||Optional; the original access token is simultaneously revoked upon creation of the new token by deault.|
An example refresh call:
curl -i -L -k -d "refresh_token=80bf9e0a-39d2-4ac0-ac03-a82a629862bb" -d "grant_type=refresh_token" -d "client_id=APP-NPXKK6HFN6TJ4YYI" -d "client_secret=060c36f2-cce2-4f74-bde0-a17d8bb30a97" -d "scope=/read-limited" -d "expires_in=631136518" -d "revoke_old=false" https://sandbox.orcid.org/oauth/token