Refresh Token
POST
/web/v1/system/auth/token/refresh NoneRefreshes an expired access token using a valid refresh token. Returns a new access/refresh token pair.
Required Headers
| Header | Example Value | Description |
|---|---|---|
| Content-Type | application/json | Request content type |
| Accept | application/json | Expected response type |
| X-Client-Hash | Client device fingerprint | |
| Accept-Language | en, zh, zh-Hant, ja, vi | Response language (default: en) |
Request Parameters
| Name | Type | Required | In | Description |
|---|---|---|---|---|
rawRequestBody | String | Required | body | Raw request body (encrypted via SecureChannel, auto-decrypted by the server) |
refreshToken | String | Required | body | Current valid refresh token |
Request Example
json
{
"refreshToken": "eyJhbGciOiJIUzI1NiIs..."
}Success Response
Success 200
{
"version": "2.0.0",
"timestamp": 1711929600000,
"success": true,
"code": "2000",
"message": "SUCCESS",
"data": {
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJBQ0NfVEVTVF8wMDEiLCJzaWQiOiJTRVNTXzAwMSIsImlhdCI6MTcxMTkyOTYwMH0.new-token",
"refreshToken": "dGVzdC1uZXctcmVmcmVzaC10b2tlbi1leGFtcGxl",
"expiresIn": 3600
}
}Error Responses
Unauthorized 401
{
"success": false,
"code": "AUTH.REFRESH_TOKEN_INVALID",
"message": "Invalid or expired refresh token"
}Notes
- The refresh token is single-use; a new refresh token is issued with each refresh.
- Rate limited to 10 requests per window.
- Request body is strictly validated — unknown or unexpected fields will be rejected with HTTP 400.