Refreshing Access Tokens

Access tokens will expire after some time. When you get a token, the expires_in field indicates how long, in seconds, the token is valid for. When a token expires, it becomes invalid. If you call a API endpoint with an invalid token, the request returns 401 Unauthorized.

Only confidential applications can refresh an expired access token using therefresh_token you received along with your access token. Public applications will need to request consent again with the flow described in Access Tokens.

You should not proactively get a new access token when the old token expires, because you might not need the access token in the near future. Instead you should only get a fresh token when you need it and the access token is invalid. Access tokens can also become invalid for other reasons, before the expiration is reached, so it is a good practice to handle the 401 Unauthorized response and get a new token only when required.

To get a fresh access token, send a POST request with Content-Type: application/x-www-form-urlencoded to https://gw2.me/api/token with the following parameters included in the body.

The response will contain a fresh access token and also a new refresh token.

Each refresh token can only be used once. For this reason you should make sure that your application, when it is multi-threaded or using multiple workers or processes, only makes one single request to refresh the token. Using a refresh token multiple times could mean that the refresh token is compromised and might lead to gw2.me invalidating your authorization.

If the request to refresh the access token fails, the refresh token might have become invalid. You then should use the normal OAuth flow again to get a new access and refresh token.