CorebanqCorebanq Developer Docs
Authv1Authentication

Refresh token

Get new access token using refresh token. The X-App-ID header must match the value used during authentication; a mismatch revokes the refresh token. The Authorization header must contain an authenticated access token (`sub=user_auth`); MFA challenge tokens are rejected.

POST/v1/refresh-token

Authorization

AuthorizationBearer <token>

In: header

Header Parameters

X-App-ID?string

Application identifier. Must be a value from the configured whitelist (e.g. web-app, admin-app, configurator-app). When provided, the refresh token cookie is scoped per application to prevent cross-app token collisions. If a whitelist is configured and the value is not in it, the request is rejected with 400.

X-Device-ID?string

Device identifier for device binding.

Response Body

application/json

application/json

application/json

curl -X POST "https://example.com/v1/refresh-token"
{
  "access_token": "string",
  "expires_in": 0,
  "idle_timeout_seconds": 0,
  "user_id": "a169451c-8525-4352-b8ca-070dd449a1a5"
}
{
  "code": "auth_m.invalid_app_id",
  "message": "Invalid application identifier"
}
{
  "code": "auth.invalid_token",
  "message": "Invalid or expired token"
}

POSTLogout

Invalidate tokens and end session

POSTVerify 2FA

Verify 2FA code and complete authentication. This is the only point where MFA-enabled logins receive authenticated session artifacts. When auth.2fa_challenge=true, send the challenge token from /v1/authenticate in X-MFA-Challenge.