Cookie Refresh Token

POST

/api/auth/refresh

const url = 'https://example.com/api/auth/refresh';
const options = {method: 'POST'};

try {
  const response = await fetch(url, options);
  const data = await response.json();
  console.log(data);
} catch (error) {
  console.error(error);
}

curl --request POST \
  --url https://example.com/api/auth/refresh

Refresh an access token using the httpOnly refresh cookie.

This is the cold-start path: browser reopened, localStorage empty, but the httpOnly cookie persists. Validates the refresh token, rotates it, and issues a new access token + refresh cookie.

Cookie: canvas_refresh= Returns: {“access_token”: ”…”, “expires_in_minutes”: 480}

Set-Cookie: canvas_refresh=<rotated_token>; …

Responses

200

Successful Response

application/json

CookieRefreshResponse

Response from POST /auth/refresh (cookie-based).

object

access_token

required

Access Token

string

expires_in_minutes

required

Expires In Minutes

integer

Example ^generated

{
  "access_token": "example",
  "expires_in_minutes": 1
}

Cookie Refresh Token

Responses

200

Example generated

Example ^generated