Using an expiring access token and refresh token enhances your application's security. An access token expires in 1 hour and a refresh token expires in 60 days.

To use an expiring access token and refresh token, you must enable the expire user authorization token feature during app creation. If you enable the expire authorization token feature, when you exchange an authorization code with an access token, you also get a refresh token in the JSON response. Use the refresh token to get a new access token without repeatedly asking the user for authorization.

Get or use a refresh token using the following POST request:

Query Parameters

  • grant_type=refresh_token
  • client_id — The application’s client ID
  • client_secret — The application’s client secret. The client secret must be kept confidential.
  • refresh_token — Include the refresh token.



You'll receive a JSON response containing the new expiring access token and refresh token.

 "user_id" : 3074457358154717003,
 "token_type" : "bearer",
 "team_id" : 3074457358607431473,
 "access_token" : "7TC7P3xrTFm6FdpJgjSX1CH21cI",
 "refresh_token" : "Ff3f94rSOfbqNvLn-PRyyf3e19w",
 "scope" : "boards:write boards:read identity:read",
 "expires_in" : 3599