Authentication API Enhancements
Release
Author:
Matthew Lewter
Changed on:
3 Feb 2025
| Target release date: | 2025-02-02 |
|---|---|
| Release status: | Released |
Description
This update introduces refresh token support to the Authentication API, allowing clients to request new access tokens without requiring a username and password. This enhancement improves security by reducing the need to store sensitive credentials and enables seamless token renewal before expiration.
For more details, refer to the Authentication API documentation.
Changelog
- Added Refresh Token Functionality:
- The Authentication API now returns a refresh_token if the account has refresh tokens enabled.
- Clients can use the refresh_token to request a new access_token without submitting their username and password.
- The Authentication API documentation has been updated to include an example API request that demonstrates how to exchange a refresh_token for a new access_token.
- Updated Response Model:
- A new refresh_token field has been added to the response model.
- Please note: expires_in applies only to the access_token and does not affect the expiration of the refresh_token.
- New Error Handling for Refresh Tokens:
- Refresh tokens are single-use. Attempting to reuse an expired or previously used refresh token will result in an error.
- The Authentication API will respond with the following error in these scenarios:
- "error": "invalid_grant", "error_description": "Invalid refresh token"
This update enhances authentication security and improves the developer experience by allowing integrations to renew access tokens without re-authenticating with credentials.
| Released capability depth: | Enhancement |
|---|---|
| Release bundle / Capability type: | Platform |
