Documentation

Refresh Tokens

Use offline_access to renew access tokens without prompting the user to log in again.

Requesting a refresh token

Include the offline_access scope in your authorization request. After consent (when applicable), the token response includes a refresh_token.

Refreshing

refresh.ts
const body = new URLSearchParams({
  grant_type: "refresh_token",
  refresh_token: "STORED_REFRESH_TOKEN",
  client_id: "YOUR_CLIENT_ID",
  client_secret: "YOUR_CLIENT_SECRET",
});

const res = await fetch("https://auth.rdnt.live/api/auth/oauth2/token", {
  method: "POST",
  headers: { "Content-Type": "application/x-www-form-urlencoded" },
  body,
});

const tokens = await res.json();
// May include a rotated refresh_token — persist the new value
Tip
Refresh proactively when the access token is within ~60 seconds of expiry to avoid user-visible failures.

Rotation

Radiant Auth may return a new refresh token on each refresh. Always replace the stored refresh token when a new one is present. Reusing an invalidated refresh token should fail — treat that as a forced re-login.

Revocation

On logout, revoke the refresh token at https://auth.rdnt.live/api/auth/oauth2/revoke so it cannot be reused.

Warning
Refresh tokens are long-lived credentials. Encrypt them at rest and never send them to the browser for confidential clients.