Refresh your token
➤ Principle
The refresh token issued by the bank ASPSP is valid up to 180 days and needs to be renewed before it expires. Please also note that :
- Authorization and refresh tokens can be revoked at any moment
- If the Authorization token is revoked, then the refresh one is automatically revoked (and the other way round)
- The access token has a shorter life cycle (10 to 15 minutes) on a standalone device
➤ How it works ?
1. You request for a refresh token using POST /token
2. ASPSP :
- Identifies and authenticates the TPP through the presented eIDAS certificate (QWAC)
- Checks the direct or indirect matching between the Authorization Number within the eIDAS certificate and the [client_id] value
- Controls last PSU SCA date (< 180 days presently)
3. If correct, ASPSP then answers through a HTTP200 (OK) that embeds a new autorization token and refresh token that can replace the previous one. You need to store safely these tokens.
4. ASPSP de facto revokes the previous refresh token :
- After timeout of the by-law specified delay between two SCAs
- After timeout of the ASPSP specified delay based on internal rules if any
- After reject of a request for insufficient scope in order to allow the AISP to request another token with the desired scope
- On request of a PSU wanting to revoke the TPP access on his/her account data
Please also note that, as a TPP, you are able to ask for the revocation of the refresh token through a POST /revoke request.
➤ Revoke the token
A revoke process of the refresh access token (before its expiration after 180 days) is possible, see STET specifications.
➤ Example
You can find an example of this request in the section"Test our API" and then "Sandbox".