Skip to main content
POST

Refresh Token

Refresh an expired MCP Identity Token (MIT) using a refresh token.

Request

Headers

X-API-Key
string
required
Your MCP Rank API key

Body Parameters

refresh_token
string
required
The refresh token from the original token response

Response

access_token
string
New MCP Identity Token (JWT)
refresh_token
string
New refresh token (old one is invalidated)
expires_in
integer
Seconds until the new access token expires (typically 3600)
token_type
string
Always Bearer

Token Rotation Security

MCP Identity implements refresh token rotation for security:
  1. Each refresh token can only be used once
  2. Using a refresh token returns a new refresh token
  3. The old refresh token is immediately invalidated
  4. If a refresh token is reused (potential attack), all user tokens may be revoked
Always use the new refresh token from the response. The old refresh token is invalidated after use.

Error Responses

Error Response