Access tokens

For each API call you make you need to authenticate. The authentication is managed via access tokens. An access token is installation-specific and can be acquired via the authorization flow described in Authorization. An access token comes in pair with a refresh token, which is used to request a new access token after expiration of the access token. Keep both tokens secret and do not share them in publicly accessible areas. For each API request, the access token should be placed in the header of the request. After 24 hours access tokens are expired and need to be refreshed.

Refresh tokens

After 24 hours access tokens are expired.  Request a new one using the refresh token that was obtained together with the outdated access token. Refresh tokens are never expired, but can be used only once. Use API call POST and use grant_type=refresh_token for this purpose.

Code Example:

curl -d 'client_id=CLIENT_ID' \
-d 'client_secret=THE_SECRET' \
-d 'grant_type=refresh_token' \
-d 'refresh_token=dfea2eccfd4183e74ff111c79aecf48e' \

If everything went ok, the authorization server returns a new access and refresh token pair. This new token can be used for API calls, and the new refresh token can be used to go through the refresh token process again.

Successful response:


Every time the access token is refreshed, a new pair of access token and refresh token is generated. The old token and old refresh token are invalidated. If an invalid / outdated refresh token is used, the following error will be shown:

Failed response:

"error_description":"The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed."