Refresh Access Token

Generate a new access token using the refresh token that was set as an HTTP-only cookie during login. This endpoint helps maintain user sessions without requiring re-authentication.

HTTP Method & Endpoint

GET | /auth/refresh/{storeId}

Path Parameter

Parameter	Type	Required	Description
`storeId`	String	Yes	StoreId (replace `{storeId}` with your actual storeId)

Request

Headers

Header	Value	Description
`Content-Type`	`application/json`	Specifies that the request body is in JSON format
`x-store-id`	`{storeId}`	StoreId (replace `{storeId}` with your actual storeId)
`Cookie`	`__Secure-unisouk.{storeId}.refresh-token={token}`	HTTP-only refresh token cookie (set by the server; inaccessible to JavaScript)

Important Notes:

The refresh token cookie is automatically set by the Login API upon successful authentication
The cookie is HTTP-only and Secure, making it inaccessible to client-side JavaScript
The cookie name follows the pattern: __Secure-unisouk.{storeId}.refresh-token
The access tokens have short expiration times (ie 15 minutes)

Response Format

Success Response (200 OK)

{
  "message": "Refresh Success.",
  "data": {
    "customer": {
      "id": "2342341293912113",
      "storeId": "2342341293912313",
      "email": "abc@gmail.com",
      "mobileNumber": null,
      "emailVerified": "2025-05-16T06:26:16.513Z",
      "mobileVerified": null,
      "status": "ACTIVE",
      "createdAt": "2025-05-16T06:25:36.043Z",
      "updatedAt": "2025-05-16T06:26:16.514Z"
    },
    "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleV9Udm1iWVUyWEdiSDk0TnpaIn0...."
  },
  "source": "db"
}

Data properties

Field	Type	Description
`accessToken`	String	New JWT access token
`customer`	Customer	Contains all details about the authenticated user

Customer Properties

Field	Type	Description	Format/Values
`id`	String	Unique identifier for the customer	BigInt( eg. `2342341293912313`)
`storeId`	String	Unique identifier of the associated store	BigInt( eg. `2342341293912313`)
`email`	String	Customer's email address	Valid email format
`emailVerified`	String	Timestamp when the email was last verified	ISO 8601 format (e.g., `"2025-05-16T06:26:16.514Z"`)
`status`	Enum	Current status of the customer account	`ACTIVE` or `INACTIVE`
`createdAt`	String	Timestamp when the customer account was created	ISO 8601 format (e.g., `"2025-05-16T06:26:16.514Z"`)
`updatedAt`	String	Timestamp when the customer account was last updated	ISO 8601 format (e.g., `"2025-05-16T06:26:16.514Z"`)

Notes:

All timestamp fields use ISO 8601 format with millisecond precision and UTC timezone (Z suffix)
The status field is restricted to two possible values: ACTIVE or INACTIVE
The emailVerified field will be null if the email hasn't been verified

Examples

cURL

curl -X POST "https://dev-sfapi.unisouk.com/auth/refresh/<STORE_ID>" \
  -H "Content-Type: application/json" \
  -H "x-store-id: <STORE_ID>" \
  -H "Cookie: __Secure-unisouk.<STORE_ID>.refresh-token=<REFRESH_TOKEN>" \
  --data ''

JavaScript (React)

Since the refresh token is HTTP-only, browser JavaScript cannot directly access it. Instead, you should:

Create a wrapper function that handles token refresh automatically
Let the browser automatically include the cookie

// Example using axios interceptors
import axios from "axios";

const api = axios.create({
  baseURL: "https://dev-sfapi.unisouk.com",
});

api.interceptors.response.use(
  (response) => response,
  async (error) => {
    const originalRequest = error.config;

    if (error.response.status === 401 && !originalRequest._retry) {
      originalRequest._retry = true;

      try {
        // The cookie will be sent automatically
        const { data } = await axios.post(
          `/auth/refresh/${getstoreId()}`,
          {},
          {
            headers: {
              "x-store-id": getstoreId(),
            },
          }
        );

        // Store new access token
        localStorage.setItem("accessToken", data.data.accessToken);

        // Retry original request
        originalRequest.headers.Authorization = `Bearer ${data.data.accessToken}`;
        return api(originalRequest);
      } catch (refreshError) {
        // Handle refresh token failure (redirect to login)
        window.location.href = "/login";
        return Promise.reject(refreshError);
      }
    }

    return Promise.reject(error);
  }
);

Error Responses

Status Code	Error Type	Description
400	`BadRequestException`	Invalid customer ID or missing store ID header
401	`UnauthorizedException`	Invalid or expired refresh token
403	`ForbiddenException`	Account inactive or suspended
404	`NotFoundException`	Customer record not found
500	`InternalServerError`	Server error during token generation

Sample Error Response

{
  "requestId": "c7d4e5f6-g8h9-i1j2-k3l4-m5n6o7p8q9r0",
  "error": "UnauthorizedException",
  "statusCode": 401,
  "message": "Refresh token expired",
  "path": "/auth/refresh/2342341293912313",
  "timestamp": 1747838047845
}

HTTP Method & Endpoint​

Path Parameter​

Request​

Headers​

Important Notes:​

Response Format​

Success Response (200 OK)​

Data properties​

Customer Properties​

Examples​

cURL​

JavaScript (React)​

Error Responses​

Sample Error Response​

Related Endpoints​