Refresh your token



The refresh token issued by the bank ASPSP is valid up to 90 days and needs to be renewed before it expires. Please also note that :

  •  Authorization and refresh tokens can be revoked at any moment ;
  • If the Authorization token is revoked, then the refresh one is automatically revoked (and the other way round) ;
  • The access token has a shorter life cycle (10 to 15min) on standalone device.


How it works ?

1. You request for a refresh token using POST /token

 épingleSee also STET V1.4.0.47 / Part I / section / page 25 


2. ASPSP :

  • Identifies and authenticates the TPP through the presented eIDAS certificate (QWAC)
  • Checks the direct or indirect matching between the Authorization Number within the eIDAS certificate and the [client_id] value.
  • Controls last PSU SCA date (< 90 jours).


3. If correct, ASPSP then answers through a HTTP200 (OK) that embeds a new autorization token and refresh token that can replace the previous one. You need to store safely these tokens.


4. ASPSP de facto revokes the previous refresh token :

  • After timeout of the by-law specified delay between two SCAs ;
  • After timeout of the ASPSP specified delay based on internal rules if any ; 
  • After reject of a request for insufficient scope in order to allow the AISP to request another token with the desired scope ; 
  • On request of a PSU wanting to revoke the TPP access on his/her account data.

Please also note that, as a TPP, you are able to ask for the revocation of the refresh token through a POST /revoke request.

 épingleSee also STET V1.4.0 / Part I / section / page 26 

           RFC 7009, cf.