Overview
LoginRadius Refresh Token APIs allow applications to extend user sessions beyond the default expiration of an Access Token. This feature supports security and flexibility by enabling short-lived Access Tokens while providing long-lived Refresh Tokens for seamless session continuity.
⚠️ Refresh Tokens do not work standalone. A valid Access Token is required to initiate or manage a session.
Refresh Tokens are particularly useful for maintaining sliding sessions, enabling token renewal without forcing users to re-authenticate frequently. All refresh tokens issued by LoginRadius expire in 60 days by default, with the ability to customize the duration up to 365 days via the Console.
Key Features and Use Cases
- Sliding Session Support - Avoid session expiration due to inactivity with token-based sliding sessions.
- Short-Lived Access, Long-Lived Refresh - Enhance security by using brief Access Token lifetimes while maintaining a longer Refresh Token.
- Customizable Token Lifetime - Configure token expiry settings directly in the Console.
- Token Rotation - Automatically generate a new Refresh Token with each successful refresh, invalidating the previous one.
- Session Extension Without Re-login - Seamlessly extend sessions without disrupting the user experience.
Common API Endpoints
These APIs enable full control over issuing, renewing, and revoking tokens in a secure and manageable way.
- Refresh Token
- Token Revocation
These APIs provide a new Access Token when the current one expires, optionally along with a new Refresh Token.
| Endpoint | Description |
|---|---|
| Refresh Access Token By Refresh Token | This API facilitates generating a new Access Token using a valid Refresh Token. A new Refresh Token is also issued in the response. Once the original Refresh Token is used, it becomes invalid and cannot be reused. This ensures a secure token rotation mechanism for maintaining user sessions without re-authentication. |
| Refresh Token | This API is used to renew a LoginRadius Access Token or a Provider Access Token after successful user authentication. It supports the expiresIn parameter to set a custom expiration duration. |
| Refresh User Profile | After authentication, this API retrieves the latest user profile data from the connected social provider using standard OAuth and OpenID Connect protocols. The profile is returned in LoginRadius' normalized format. |
These APIs allow you to proactively manage session security by invalidating refresh tokens individually or across all user sessions. These endpoints are useful when implementing logout flows, handling compromised tokens, or enforcing device-specific session policies.
| Endpoint | Description |
|---|---|
| Revoke Refresh Token | Immediately invalidates a Refresh Token, preventing it from being reused to refresh the session. |
| Revoke All Refresh Token | Invalidates all Refresh Tokens issued for the user, effectively terminating all active sessions across devices. |
NOTE: Revoking a refresh_token does not invalidate its associated access_token. To terminate the active session immediately, use the Invalidate Access Token API.
Best Practices
- For enhanced security, use short-lived Access Tokens (e.g., 15–30 mins) combined with long-lived Refresh Tokens.
- Limit refresh token lifetime via the Console under Session Management.
- Log and monitor token issuance and revocation for security auditing.
- Consider Sliding Token Expiry to extend sessions only if the Access Token is actively used.