Refresh Access Token
Generate a new access token using the refresh token that was set as an HTTP-only cookie during login. This endpoint helps maintain user sessions without requiring re-authentication.
HTTP Method & Endpoint
GET | /auth/refresh/{storeId}
Path Parameter
| Parameter | Type | Required | Description |
|---|---|---|---|
storeId | String | Yes | StoreId (replace {storeId} with your actual storeId) |
Request
Headers
| Header | Value | Description |
|---|---|---|
Content-Type | application/json | Specifies that the request body is in JSON format |
x-store-id | {storeId} | StoreId (replace {storeId} with your actual storeId) |
Cookie | __Secure-unisouk.{storeId}.refresh-token={token} | HTTP-only refresh token cookie (set by the server; inaccessible to JavaScript ) |
HTTP Method & Endpoint
GET | /auth/refresh/{storeId}
Path Parameter
| Parameter | Type | Required | Description |
|---|---|---|---|
storeId | String | Yes | StoreId (replace {storeId} with your actual storeId) |
Request
Headers
| Header | Value | Description |
|---|---|---|
Content-Type | application/json | Specifies that the request body is in JSON format |
x-store-id | {storeId} | StoreId (replace {storeId} with your actual storeId) |
Cookie | __Secure-unisouk.{storeId}.refresh-token={token} | HTTP-only refresh token cookie (set by the server; inaccessible to JavaScript ) |
warning
The refresh token cookie is automatically sent by the browser when this API is called. You do not need to include it manually in your request.
Important Notes:
- The refresh token cookie is automatically set by the Login API upon successful authentication
- The cookie is HTTP-only and Secure, making it inaccessible to client-side JavaScript
- The cookie name follows the pattern:
__Secure-unisouk.{storeId}.refresh-token - The access tokens have short expiration times (ie 15 minutes)
Response Format
Success Response (200 OK)
{
"message": "Refresh Success.",
"data": {
"customer": {
"id": "2342341293912113",
"storeId": "2342341293912313",
"email": "abc@gmail.com",
"mobileNumber": null,
"emailVerified": "2025-05-16T06:26:16.513Z",
"mobileVerified": null,
"status": "ACTIVE",
"createdAt": "2025-05-16T06:25:36.043Z",
"updatedAt": "2025-05-16T06:26:16.514Z"
},
"accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleV9Udm1iWVUyWEdiSDk0TnpaIn0...."
},
"source": "db"
}
Data properties
| Field | Type | Description |
|---|---|---|
accessToken | String | New JWT access token |
customer | Customer | Contains all details about the authenticated user |
Customer Properties
| Field | Type | Description | Format/Values |
|---|---|---|---|
id | String | Unique identifier for the customer | BigInt( eg. 2342341293912313) |
storeId | String | Unique identifier of the associated store | BigInt( eg. 2342341293912313) |
email | String | Customer's email address | Valid email format |
emailVerified | String | Timestamp when the email was last verified | ISO 8601 format (e.g., "2025-05-16T06:26:16.514Z") |
status | Enum | Current status of the customer account | ACTIVE or INACTIVE |
createdAt | String | Timestamp when the customer account was created | ISO 8601 format (e.g., "2025-05-16T06:26:16.514Z") |
updatedAt | String | Timestamp when the customer account was last updated | ISO 8601 format (e.g., "2025-05-16T06:26:16.514Z") |
Notes:
- All timestamp fields use ISO 8601 format with millisecond precision and UTC timezone (Z suffix)
- The
statusfield is restricted to two possible values:ACTIVEorINACTIVE - The
emailVerifiedfield will benullif the email hasn't been verified
Examples
JavaScript (React)
Since the refresh token is HTTP-only, browser JavaScript cannot directly access it. This logic — including automatic token refreshing and cookie handling — is already implemented as part of the token management setup in the Axios Interceptor Setup section.
No additional changes are required here; your requests will automatically include the cookie, and expired tokens will be refreshed as needed.
Error Responses
| Status Code | Error Type | Description |
|---|---|---|
| 400 | BadRequestException | Invalid customer ID or missing store ID header |
| 401 | UnauthorizedException | Invalid or expired refresh token |
| 403 | ForbiddenException | Account inactive or suspended |
| 404 | NotFoundException | Customer record not found |
| 500 | InternalServerError | Server error during token generation |
Sample Error Response
{
"requestId": "c7d4e5f6-g8h9-i1j2-k3l4-m5n6o7p8q9r0",
"error": "UnauthorizedException",
"statusCode": 401,
"message": "Refresh token expired",
"path": "/auth/refresh/2342341293912313",
"timestamp": 1747838047845
}