Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.dubupay.com/llms.txt

Use this file to discover all available pages before exploring further.

Access tokens expire after 15 minutes. Instead of asking your users to log in again, you can silently obtain a fresh access token by sending your stored refresh token to this endpoint. The API validates the token, issues a new access token and a new refresh token, and immediately revokes the one you just used. This rotation strategy means a stolen refresh token can only be used once before it becomes invalid. No authentication header is required — the refresh token itself is the credential.

Endpoint

POST https://api.dubupay.com/api/v1/auth/refresh

Request body

refresh_token
string
required
The refresh token previously issued by POST /auth/login, POST /auth/refresh, or POST /auth/verify-email. Each refresh token can only be used once.

Response

HTTP 200 OK on success.
success
boolean
true on a successful token rotation.
data
object

Example

curl -X POST https://api.dubupay.com/api/v1/auth/refresh \
  -H "Content-Type: application/json" \
  -d '{
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
  }'
Response 
{
  "success": true,
  "data": {
    "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
  }
}

Token rotation

Every successful call to this endpoint invalidates the refresh token you submitted and replaces it with a brand-new one. You must update your stored refresh token after every rotation. If the same refresh token is used twice — for example because an attacker replayed a captured token — the second attempt returns 401 TOKEN_REVOKED. At that point you should treat the session as compromised, clear all stored tokens, and require the user to log in again. Refresh tokens are also invalidated when you:
  • Call POST /auth/logout
  • Change your password via PATCH /auth/me/password
In both cases any stored refresh token becomes immediately unusable and a new login is required.

Error responses

StatusCodeDescription
400Validation errorrefresh_token is missing from the request body.
401INVALID_REFRESH_TOKENThe token is malformed, has expired, or the signature does not match.
401TOKEN_REVOKEDThe token was already used or has been invalidated (logout / password change).
401UNAUTHORIZEDThe merchant account associated with this token no longer exists or is deactivated.