Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.ub.bitbros.in/llms.txt

Use this file to discover all available pages before exploring further.

POST /api/userAuth/refresh-token

Issues a new access token using the current refresh token. The refresh token is automatically rotated — the old one is invalidated and a new one is issued.
Call this endpoint whenever you receive a 401 Unauthorized response on any other request. It is safe to call proactively when the access token is about to expire.

Required Header

x-api-key: your pk_live_… key.

Two Modes

Depending on your client type, you send the refresh token differently.

Web (browser)

The refresh token is stored in an HTTP-only cookie set during login. You do not need to read or send it manually — just include credentials: 'include' so the browser attaches the cookie automatically.

Mobile / non-browser

Include the refresh token in the x-refresh-token header, and set x-refresh-token-mode to 'header' to tell urBackend to read it from there.

Response Fields

Response Fields

accessToken
string
The new short-lived JWT access token.
expiresIn
string
Human-readable duration until the new access token expires (e.g., "15m").

Code Examples

// Browser: credentials: 'include' sends the HTTP-only cookie automatically
const res = await fetch('https://api.ub.bitbros.in/api/userAuth/refresh-token', {
  method: 'POST',
  headers: {
    'x-api-key': 'pk_live_YOUR_KEY'
  },
  credentials: 'include'
});

const { accessToken: newAccessToken } = await res.json();

Success Response

{
  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "expiresIn": "15m"
}

Errors

StatusCause
401 UnauthorizedRefresh token missing, invalid, or already rotated