Skip to main content

POST /api/userAuth/refresh-token

Issues a new access token using the current refresh token. The refresh token is automatically rotated — the old one is invalidated and a new one is issued.
Call this endpoint whenever you receive a 401 Unauthorized response on any other request. It is safe to call proactively when the access token is about to expire.

Required Header

x-api-key: your pk_live_… key.

Two Modes

Depending on your client type, you send the refresh token differently.

Web (browser)

The refresh token is stored in an HTTP-only cookie set during login. You do not need to read or send it manually — just include credentials: 'include' so the browser attaches the cookie automatically.

Mobile / non-browser

Include the refresh token in the x-refresh-token header, and set x-refresh-token-mode to 'header' to tell urBackend to read it from there.

Response Fields

success
boolean
true when a new access token was issued.
data
object
message
string
Human-readable status message.

Code Examples

// Browser: credentials: 'include' sends the HTTP-only cookie automatically
const res = await fetch('https://api.ub.bitbros.in/api/userAuth/refresh-token', {
  method: 'POST',
  headers: {
    'x-api-key': 'pk_live_YOUR_KEY'
  },
  credentials: 'include'
});

const { data } = await res.json();
const newAccessToken = data.accessToken;

Success Response

{
  "success": true,
  "data": {
    "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "expiresIn": "15m"
  },
  "message": "Token refreshed successfully"
}

Errors

StatusCause
401 UnauthorizedRefresh token missing, invalid, or already rotated