Refresh your access token                                                     

Principle

Since the access token has a short validity, it is necessary for the TPP to request its refresh before it expires.

Basic rules

The Banque Polulaire account manager (ASPSP) has at most one valid access token and one valid refresh token per customer (PSU)/TPP/Role AISP or CBPII triplet

• The access token has a short validity period (of about one hour) on an isolated device or a client application of our customer.
• The refresh token is valid up to 90 days ; 
• The refresh token and the access token must be able to be revoked at any time ;
• If the Authorization token is revoked, then the refresh one is automatically revoked (and the other way round) ;If the Authorization token is revoked, then the refresh one is automatically revoked (and the other way round) ;

This is the sequence of the access token refreshing

1. You asks for the refreshing of the access token to the Banque Populaire. 

2. The Banque Populaire initiates the refreshing of the access token. 

3. It retrieves the TPP certificate from the registration authority. 

4. It checks the validity and non-revocation of the certificate presented. 

5. It checks the date of the last authentication (< 90 days). 

6. It sends you the new access token and the old refresh token. 

7. You store the access token and the old refresh token in a safe place. 

8. The Banque Populaire revokes the old access token. 

Exemple

You can find an example of this request in use case "Sandbox assembly".

For more details on the data exchanged, see the use case "How to retrieve your OAUTH2 access token?".