Refresh Token Grant

Token Request

The response of token request should contain access token and refresh token.

      {
        "access_token": "etMv23....429hiU32Hri",
        "refresh_token": "GEbRxBN...edjnXbL",
        "token_type": "Bearer"
      }

Use a Refresh Token:
To exchange the Refresh Token you received for a new Access Token, make a POST request to the token endpoint, using grant_type=refresh_token as follows.

        POST http://<wp_base_url>/wp-json/moserver/token
        Content-Type: application/x-www-form-urlencoded

        grant_type=refresh_token&
        client_id={client_id}&
        client_secret={client_secret}&
        refresh_token={refresh_token}

Here, is the description for each request parameter.

  • grant_type=refresh_token : This tells the server we’re using the refresh token grant type.

  • client_id : The public identifier of the application that the developer obtained during registration.

  • client_secret : The client secret provided by the OAuth provider.

  • refresh_token : The refresh token to use.

  • cURL
  • Postman
  • C#
  • Java
  • PHP
  • Python
curl -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=refresh_token&client_id=<your-client-id>&client_secret=<your-client-secret>&refresh_token=<refresh-token>" http://<your-wordpress-domain-name>/wptest/wordpress/wp-json/moserver/token

Click here to download POSTMAN collection export

String getRefreshedAccessToken()
{
      var httpWebRequest = (HttpWebRequest)WebRequest.Create("http://YOUR_DOMAIN/wp-json/moserver/token");
      httpWebRequest.ContentType = "application/json";
      httpWebRequest.Method = "POST";
      using (var streamWriter = new StreamWriter(httpWebRequest.GetRequestStream()))
      {
      string json = JsonConvert.SerializeObject(new
      {
            grant_type = "refresh_token",
            client_id = "<<YOUR CLIENT_ID>>",
            client_secret = "<<YOUR CLIENT SECRET>>",
            refresh_token = "<<REFRESH TOKEN>>"
      });
      streamWriter.Write(json);
      }
      var httpResponse = (HttpWebResponse)httpWebRequest.GetResponse();
      var streamReader = new StreamReader(httpResponse.GetResponseStream());
      var result = streamReader.ReadToEnd();
      dynamic jtoken = JsonConvert.DeserializeObject(result);
      Console.WriteLine(jtoken.access_token);
      return jtoken.access_token;
}
private static String getRefreshedAccessToken(refresh_token, username, password, clientId, clientSecret)
{
      Pattern pat = Pattern.compile(".*\"access_token\"\\s*:\\s*\"([^\"]+)\".*");
      String content = "grant_type=refresh_token&username=" + userName + "&password=" + password + "&refresh_token=" + refresh_token;
      BufferedReader reader = null;
      HttpURLConnection connection = null;
      String accesstoken = "";
      try {
            URL url = new URL(tokenUrl);
            connection = (HttpURLConnection) url.openConnection();
            connection.setRequestMethod("POST");
            connection.setDoOutput(true);
            connection.setRequestProperty("Authorization", "Basic " + authentication);
            connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
            connection.setRequestProperty("Accept", "application/json");
            PrintStream os = new PrintStream(connection.getOutputStream());
            os.print(content);
            os.close();
            reader = new BufferedReader(new InputStreamReader(connection.getInputStream()));
            String line = null;
            StringWriter out = new StringWriter(connection.getContentLength() > 0 ? connection.getContentLength() : 2048);
            while ((line = reader.readLine()) != null) {
            out.append(line);
            }
            String response = out.toString();
            Matcher matcher = pat.matcher(response);
            if (matcher.matches() && matcher.groupCount() > 0) {
            accesstoken = matcher.group(1);
            }
            connection.disconnect();
      } catch (Exception e) {
            System.out.println("Error : " + e.toString());
      } finally {
            if (reader != null) {
            try {
                  reader.close();
            } catch (IOException e) {
            }
            }
      }
      System.out.println(accesstoken);
      return accesstoken;
}
function getRefreshedAccessToken($refresh_token)
{
      $token_url = "http://YOUR_DOMAIN/wp-json/moserver/token";
      $client_id = "<YOUR CLIENT_ID>";
      $client_secret = "<YOUR CLIENT SECRET>";
    $tokenContent = "grant_type=refresh_token&username=<USERNAME>&password=<PASSWORD>&refresh_token=<REFRESH_TOKEN>";
    $authorization = base64_encode("$client_id:$client_secret");
    echo "$authorization 
"; $tokenHeaders = array("Authorization: Basic {$authorization}","Content-Type: application/x-www-form-urlencoded"); $token = curl_init(); curl_setopt($token, CURLOPT_URL, $tokenUrl); curl_setopt($token, CURLOPT_HTTPHEADER, $tokenHeaders); curl_setopt($token, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($token, CURLOPT_RETURNTRANSFER, true); curl_setopt($token, CURLOPT_POST, true); curl_setopt($token, CURLOPT_POSTFIELDS, $tokenContent); $response = curl_exec($token); curl_close ($token); echo $response; return json_decode($response)->access_token; }
import requests,json
def getRefreshedAccessToken():
      token_url = "http://YOUR_DOMAIN/wp-json/moserver/token"
      resource_url = "http://YOUR_DOMAIN/wp-json/moserver/resource"
      callback_uri = "<<CALL BACK URI>>"
      client_id = '<<CLIENT_ID>>'
      client_secret = '<<CLIENT SECRET>>'
      refresh_token = '<<REFRESH TOKEN>>'
      t_json = {'grant_type':'refresh_token','username':'<<USERNAME>>','password':'<<PASSWORD>>','client_id' : client_id,'client_secret' : client_secret,'refresh_token':refresh_token}
      response = requests.post(token_url,data=t_json)
      resp = json.loads(response.text)
      access_token = resp["access_token"]
      return access_token

The response will include a new Access Token, its type, its lifetime (in seconds), and the granted scopes. If the scope of the initial token included openid, then a new ID Token will be in the response as well.

Response will contain parameters as follows:

      {
        "access_token": "eyJ...MoQ",
        "expires_in": 86400,
        "scope": {scope},
        "id_token": "eyJ...0NE",
        "token_type": "Bearer"
      }

Revoke a Refresh Token

Since Refresh Tokens never expire, it is essential to be able to revoke them in case they get compromised.

To revoke a Refresh Token, you can send a POST request to token endpoint as follows.

      POST http://<wp_base_url>/wp-json/moserver/token
      Content-Type: application/x-www-form-urlencoded

      client_id={client_id}&
      client_secret={client_secret}&
      refresh_token={refresh_token}