➤ Principle 

The refresh token issued by the bank ASPSP is valid up to 90 days and needs to be renewed before it expires. Please also note that :

• Authorization and refresh tokens can be revoked at any moment ;
• If the Authorization token is revoked, then the refresh one is automatically revoked (and the other way round) ;
• The access token has a shorter life cycle (10 to 15min) on standalone device.

➤ How it works ? 

1. You request for a refresh token using POST /token

2. ASPSP :

• Identifies and authenticates the TPP through the presented eIDAS certificate (QWAC)
• Checks the direct or indirect matching between the Authorization Number within the eIDAS certificate and the [client_id] value.
• Controls last PSU SCA date (< 90 jours).

3. If correct, ASPSP then answers through a HTTP200 (OK) that embeds a new autorization token and refresh token that can replace the previous one. You need to store safely these tokens.

4. ASPSP de facto revokes the previous refresh token :

• After timeout of the by-law specified delay between two SCAs ;
• After timeout of the ASPSP specified delay based on internal rules if any ; 
• After reject of a request for insufficient scope in order to allow the AISP to request another token with the desired scope ; 
• On request of a PSU wanting to revoke the TPP access on his/her account data.

Please also note that, as a TPP, you are able to ask for the revocation of the refresh token through a POST /revoke request.

➤ Revoke the token 

A revoke process of the refresh access token (before its expiration @90 days) is possible, see STET specification V1.4.2 / part 1 "Framework" / paragraph 3.4.2.8  "Refresh token revocation".

➤ Example 

You can find an example of this request in the section"Test our API" and then "Sandbox".