Refresh an expired JWT
POST/auth/refresh
Exchanges a valid refresh token for a new JWT (and a new refresh token). The original refresh token is invalidated after use.
Requirements
- The refresh-token feature must be enabled in the plugin settings.
- The refresh token must exist in the database and not have exceeded the maximum token age configured in the plugin settings.
- If "Authentication Requires Auth Code" is enabled,
AUTH_KEYmust be provided.
Request
Responses
- 200
- 401
- 403
- 422
- 500
JWT refreshed successfully. Returns a new JWT and a new refresh token.
Unauthorized. One of:
- The refresh token was not found in the database (expired, already rotated,
or never issued) (
error_code51). - A JWT was supplied alongside the refresh token but has been revoked -
revoked JWTs cannot be used to obtain new tokens (
error_code55). - The WordPress user linked to the refresh token no longer exists
(
error_code55). - The provided auth code is wrong (
error_code27).
Forbidden. One of:
- The refresh-token feature is disabled in the plugin settings (
error_code81). - Authentication is disabled in the plugin settings (
error_code45). - The client IP address is not on the allow-list (
error_code41).
Unprocessable entity. One of:
- The
refresh_tokenfield is absent from the request (error_code51). - The auth code is required but was not provided (
error_code94).
Internal server error.