# Using Access Token The Access Token received from Token URL can be used to access API by sending it in Authorization header as a Bearer token, eg: ```http GET https://api.passolution.eu/api/v2/infosystem/passolution Authorization: Bearer eyJ... ``` # Refreshing Access Token The Refresh Token received with Access Token can be used to get a **new Access Token & Refresh Token** before the expiry by making a POST request to Authorization Server's Token Refresh URL (https://web.passolution.eu/oauth/token): **Note**: A Refresh Token can be used only once. Make sure to store new Refresh Token received when refreshing an Access Token for future use. ```http POST https://web.passolution.eu/oauth/token Content-Type: application/json { "client_id": "your-client-id", "client_secret": "your-client-secret", "grant_type": "refresh_token", "refresh_token": "refresh-token-value" } ``` **Note**: The Token Refresh URL is rate limited to 300 requests per minute. | Parameter | Description | | --- | --- | | client_id | Your OAuth Client ID | | client_secret | Your OAuth Client Secret**It should not be stored outside of your secure servers** | | grant_type | 'grant_type' field should be set to 'refresh_token' when using refresh token for generating new Access Token | | refresh_token | The refresh token that was received when exchanging 'authorization code' for Access Token | br The Refresh Token URL endpoint will respond with JSON response containing following fields: ```json { "expires_in": 31536000, "access_token": "eyJ...", "refresh_token": "def..." } ``` | Parameter | Description | | --- | --- | | expires_in | Number of seconds after which the new access token will expire. | | access_token | New Access Token for the User | | refresh_token | **New Refresh Token** for the User which can be used to generate new Access Token again | **Note**: A Refresh Token can be used only once. Make sure to store the new Refresh Token received in response for future use. # Important Note **OAuth Client Secret, Access Tokens & Refresh Tokens must be kept confidential**. **DO NOT** expose these details anywhere in public forums, repositories, logs or in your website's client-side code (HTML, JavaScript) as it may lead to data theft or loss.