curl -X POST https://api.mcprank.com/v1/identity/refresh \
  -H "X-API-Key: sk_mcp_rank_..." \
  -H "Content-Type: application/json" \
  -d '{"refresh_token": "rt_abc123..."}'

{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "refresh_token": "rt_xyz789...",
  "expires_in": 3600,
  "token_type": "Bearer"
}

POST

identity

refresh

curl -X POST https://api.mcprank.com/v1/identity/refresh \
  -H "X-API-Key: sk_mcp_rank_..." \
  -H "Content-Type: application/json" \
  -d '{"refresh_token": "rt_abc123..."}'

{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "refresh_token": "rt_xyz789...",
  "expires_in": 3600,
  "token_type": "Bearer"
}

Refresh Token

Refresh an expired MCP Identity Token (MIT) using a refresh token.

Request

curl -X POST https://api.mcprank.com/v1/identity/refresh \
  -H "X-API-Key: sk_mcp_rank_..." \
  -H "Content-Type: application/json" \
  -d '{"refresh_token": "rt_abc123..."}'

Headers

X-API-Key

string

required

Your MCP Rank API key

Body Parameters

refresh_token

string

required

The refresh token from the original token response

Response

access_token

string

New MCP Identity Token (JWT)

refresh_token

string

New refresh token (old one is invalidated)

expires_in

integer

Seconds until the new access token expires (typically 3600)

token_type

string

Always Bearer

curl -X POST https://api.mcprank.com/v1/identity/refresh \
  -H "X-API-Key: sk_mcp_rank_..." \
  -H "Content-Type: application/json" \
  -d '{"refresh_token": "rt_abc123..."}'

{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "refresh_token": "rt_xyz789...",
  "expires_in": 3600,
  "token_type": "Bearer"
}

Token Rotation Security

MCP Identity implements refresh token rotation for security:

Each refresh token can only be used once
Using a refresh token returns a new refresh token
The old refresh token is immediately invalidated
If a refresh token is reused (potential attack), all user tokens may be revoked

Always use the new refresh token from the response. The old refresh token is invalidated after use.

Error Responses

Status Code	Error	Description
400	`invalid_grant`	Invalid, expired, or already-used refresh token
401	-	Missing or invalid API key
429	-	Rate limit exceeded

Error Response

{
  "detail": "Invalid or expired refresh token"
}

Get Session Status Revoke Tokens

API Reference

Search

Identity

OAuth Proxy

MCP Server Proxy

Refresh Token

Refresh Token

Request

Headers

Body Parameters

Response

Token Rotation Security

Error Responses

API Reference

Search

Identity

OAuth Proxy

MCP Server Proxy

​Refresh Token

​Request

​Headers

​Body Parameters

​Response

​Token Rotation Security

​Error Responses

Refresh Token

Request

Headers

Body Parameters

Response

Token Rotation Security

Error Responses