# Refresh an Access Token

When your access token expires, you can use a refresh token to obtain a new access token without requiring the user to re-authenticate.

Complete details of the specification are available in [RFC 6749 section 6](https://www.rfc-editor.org/rfc/rfc6749#section-6).

Send the following parameters www-form-encoded in the request body to the token endpoint:

| Environment | Token Endpoint |
|  --- | --- |
| Production | https://auth.dailypay.com/oauth2/token |
| UAT | https://auth.uat.dailypay.com/oauth2/token |


```json
{
  "$ref": "#/components/schemas/RefreshTokenRequest",
  "components": {
    "schemas": {
      "RefreshTokenRequest": {
        "type": "object",
        "title": "Refresh token",
        "required": [
          "grant_type",
          "refresh_token",
          "client_id"
        ],
        "properties": {
          "grant_type": {
            "type": "string",
            "description": "The OAuth2 grant type",
            "const": "refresh_token"
          },
          "refresh_token": {
            "type": "string",
            "description": "A refresh token received from a previous token request",
            "example": "rt.ML_PsNjfQA4M7iupH_3jw"
          },
          "client_id": {
            "description": "The client id of the application refreshing the token.",
            "type": "string",
            "example": "your_client_id"
          },
          "client_secret": {
            "type": "string",
            "description": "The client secret of the application refreshing the token, if available.",
            "example": "your_client_secret"
          },
          "scope": {
            "type": "string",
            "description": "A space-separated list of scopes to request in the access token. If not provided, the scopes will default to those originally granted.",
            "example": "user:read"
          }
        }
      }
    }
  }
}
```

```shell cURL
curl -i -X POST \
  https://auth.dailypay.com/oauth2/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d grant_type=refresh_token \
  -d refresh_token=rt.ML_PsNjfQA4M7iupH_3jw \
  -d client_id=your_client_id \
  -d client_secret=your_client_secret \
  -d scope=user:read
```

The resulting access token can be used to make requests to the DailyPay REST API:

```json 200 application/json
{
  "access_token": "dpo_38347Ae178B4a16C7e42F292c6912E7710c8",
  "refresh_token": "dpo_38347Ae178B4a16C7e42F292c6912E7710c9",
  "token_type": "bearer",
  "scope": "user:read_write",
  "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.4FjJ3eZJYJj7J9Jf",
  "expires_in": 3600
}
```

```json default application/json
{
  "error": "unexpected_error",
  "error_description": "An internal server error has occurred.",
  "status_code": 500,
  "error_hint": "string"
}
```

> The authorization code, access token, and refresh tokens can vary in size but will typically remain under 4096 bytes.