Get the access token using the refresh token. Get familiar with the API endpoint with request and response.

Use a previously obtained refresh token to generate a new access token. Access tokens are short-lived; you can check the expires_in parameter when generating an access token to determine its lifetime (in seconds). If you need the client application to access Xoxoday data, store the refresh token you get when initiating your OAuth integration and use it to generate a new access token once the initial one expires.


Please note

Please note that the refresh_token generated with this response will be a new refresh_token. So going forward, the client must replace the old refresh_token with the new one.



For every 4xx error encountered, we recommend you generate a new access & refresh token using the Refresh token API

Instances where Xoxoday will invalidate your access_token to safeguard your account

Token Invalidation InstancesError Code
Super Admin resets their account's password"{
""success"": 0,
""error_message_id"": ""auth.token_error""
Super Admin adds another Super Admin and the new Super Admin generates a new token"{
""error"": ""invalid_token"",
""error_description"": ""invalid/expired token""
Unusual number of requests on Refresh Token API"{

Before we move to the API endpoints, it is important to implement the Refresh Token in a programmatic way to ensure there is no manual intervention required

Since the access token expires in 15 days, your systems need to regenerate the access token periodically for continued access to the plumPRO API platform.


Access tokens can be programmatically regenerated on expiry. Refresh tokens cannot be. Once a refresh token expires, you need to generate a new refresh token from the dashboard only.

Access tokens can be regenerated by using the refresh token, client ID, and client secret that were fetched from the dashboard and stored at your end.

The user token API above returns the following:

  • A new access token
  • A new refresh token
  • Expiry details for the access token in EPOCH from the current time. Learn more about EPOCH here

After this operation, the refresh token you saved earlier will no longer be valid since we create a new session for you and invalidate the older session. So, you will have to update the refresh token you had saved earlier with this new refresh token.

This new refresh token should be used the next time you generate an access token.

As a recommended practice, we suggest you refresh tokens every 7 days or at least before the access token expires to ensure seamless API calls.

A simple CRON/scheduler script can be set up at your end to call the API at the above frequency and update the new access and refresh tokens.

Click Try It! to start a request and see the response here!