Skip to main content
Renews the access token by validating the refresh token cookie. Returns a new access token and refreshes both authentication cookies.

Authentication

This endpoint requires a valid refreshToken cookie to be present in the request.

Request

Response

status
string
Response status. Returns “success” on successful token renewal.
data
object
Contains the user data object.
users
object
The authenticated user details.
id
number
Unique identifier for the user.
fullname
string
User’s full name.
email
string
User’s email address.

Response Headers

The response includes two Set-Cookie headers:
  • Set-Cookie: accessToken - New HTTP-only cookie for API authentication. Valid across all paths. Includes Secure and SameSite=None flags.
  • Set-Cookie: refreshToken - Refreshed HTTP-only cookie for token renewal. Only valid for /api/refresh path. Includes Secure and SameSite=None flags.

Example Request

curl -X GET https://juadah-backend.vercel.app/api/refresh \
  -H "Cookie: refreshToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

Example Response

Success (200 OK)

{
  "status": "success",
  "data": {
    "users": {
      "id": 1,
      "fullname": "John Doe",
      "email": "user@example.com"
    }
  }
}
Response headers include: 
Set-Cookie: accessToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...; Path=/; HttpOnly; Secure; SameSite=None
Set-Cookie: refreshToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...; Path=/api/refresh; HttpOnly; Secure; SameSite=None

Missing Refresh Token (400 Bad Request)

{
  "status": "fail",
  "errors": {
    "code": 400,
    "message": "invalid request, refresh token unavailable"
  }
}
This error is returned when no refresh token cookie is present in the request.

Invalid Refresh Token (400 Bad Request)

{
  "status": "fail",
  "errors": {
    "code": 400,
    "message": "invalid request, refresh token is invalid"
  }
}
This error is returned when the refresh token is malformed, expired, or otherwise invalid.