Refresh your token
The refresh token issued by the bank ASPSP is valid up to 90 days and needs to be renewed before it expires. Please also note that :
- Authorization and refresh tokens can be revoked at any moment ;
- If the Authorization token is revoked, then the refresh one is automatically revoked (and the other way round) ;
- The access token has a shorter life cycle (10 to 15min) on standalone device.
How it works ?
1. You request for a refresh token using POST /token
See also STET V22.214.171.124 / Part I / section 126.96.36.199 / page 25
2. ASPSP :
- Identifies and authenticates the TPP through the presented eIDAS certificate (QWAC)
- Checks the direct or indirect matching between the Authorization Number within the eIDAS certificate and the [client_id] value.
- Controls last PSU SCA date (< 90 jours).
3. If correct, ASPSP then answers through a HTTP200 (OK) that embeds a new autorization token and refresh token that can replace the previous one. You need to store safely these tokens.
4. ASPSP de facto revokes the previous refresh token :
- After timeout of the by-law specified delay between two SCAs ;
- After timeout of the ASPSP specified delay based on internal rules if any ;
- After reject of a request for insufficient scope in order to allow the AISP to request another token with the desired scope ;
- On request of a PSU wanting to revoke the TPP access on his/her account data.
Please also note that, as a TPP, you are able to ask for the revocation of the refresh token through a POST /revoke request.
See also STET V1.4.0 / Part I / section 188.8.131.52 / page 26
RFC 7009, cf. https://tools.ietf.org/html/rfc7009