Refresh Token

curl --request POST \
  --url https://api.example.com/api/v1/auth/refresh

{}

auth

Refresh Token

Refresh the access token using the refresh cookie. Rotates the refresh token.

Implements refresh-token reuse detection (SEC-20260420-006). Each session row carries used_at (set on rotation) and replaced_by_id (forward chain link). If a client presents a token whose row has used_at set, the token is being replayed — either by an attacker who stole the cookie before the legitimate client rotated it, or by a buggy client retrying the same token. Either way we burn the entire rotation family so a stolen cookie is worth at most one rotation cycle and the theft is loud.

POST

api

auth

refresh

Refresh Token

curl --request POST \
  --url https://api.example.com/api/v1/auth/refresh

{}

Cookies

riftmap_refresh

string | null

Response

Successful Response

{key}

string

List Providers Register