Changelog
Start typing to search…
Back to All

Breaking Change: Refresh Token (Refresh Token Grant Flow)

April 15th, 2025 by Nathan Hall

Effective in API Version: v1
Type: Breaking Change

Staging Release Date: 26/04/2025
Staging Depreciation Date: 26/04/2025

Production Release Date: 06/05/2025
Production Depreciation Date: 06/05/2025

🔄 What’s Changing

  • Each time you exchange a refresh token for a new access token, a new refresh token will also be returned.
  • Old refresh tokens will become invalid once used.

Endpoint:
POST https://staging.adfin.com/api/oauth2/token

Example Request

curl --location 'https://staging.adfin.com/api/oauth2/token' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'client_id=YOUR_CLIENT_ID' \
--data-urlencode 'client_secret=YOUR_CLIENT_SECRET' \
--data-urlencode 'refresh_token={{refresh_token}}'

Example Response

{
    "refresh_token": "v1.MhlEYQMefCqqYCBk6yECWoEO3HFROz_W2UUTWXnFRolR6ZMJ1nG1sH1zJJYboLUsxhxQ0_s49nLJzDNCUjuZH0Y",
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjNjY1VXRGEtT3BjeTN6cl9GWlpmYyJ9.eyJodHRwczovL2F1dGguYWRmaW4uY29tL3JvbGVzIjpbImJpbGxlci1hZG1pbiJdLCJpc3MiOiJodHRwczovL2F1dGhlbnRpY2F0aW9uLmRldi5hZGZpbi5jb20vIiwic3ViIjoiYXV0aDB8NjdmYWIwMDkwNThmNGMxMjA2ZjM4Y2QwIiwiYXVkIjpbImh0dHBzOi8vbG9jYWwtYXV0aDAtYXBpLmFkZmluLmNvbSJdLCJpYXQiOjE3NDQ3MjY5ODQsImV4cCI6MTc0NDgxMzM4NCwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCBwaG9uZSBvZmZsaW5lX2FjY2VzcyIsImF6cCI6IkltSmh3MFFFNW9POTJuOEdiZUZkZmIwM2pUVDk1VlZ1In0.KXz2GltF-l2ezPu3PqxUH55Gjlc6ccZzz6ittDUCKF5F2TZyrKAp7ekFlw6-AfQ8nmONgpXF2Q0kuAsGiWAVte8J_KpH1McVbbfOWyiM3D4UjzhCTbFWkZ3rxVkn-GTWsC3LH2vkG0PLmXFOgbVceMXw2QkGMb9XzBg630CqIGQ4kzljEKCRqKZJr8xwpxP6XrM1fdib-HFRtsCMQ9Nw5ZeHiYDAG_F8lxxi9VYqUYWSumQvE3Bj2rNdbutpeJgLK75JULc-Qkq6z3wjAAmzBE2QuCfXR8RLEn1DwyDTxlJ_84KjHPqEmNFWMLhNgIU9XQ73HEWFNmIwfDb5kaTfCg",
    "expires_in": 86400,
    "token_type": "Bearer"
}

🚨 Impact

If you're persisting refresh tokens, you must ensure your integration stores and uses the newly issued token after each refresh. Failing to do so will result in authentication failures.

🔧 Migration Plan

  • Ensure your integration handles refresh token rotation.
  • Update any logic relying on reusing the same refresh token.
  • Do not attempt to reuse the code parameter in the auth flow.
  • Once the new auth implementation is enabled, each platform will receive a new set of credentials.