Skip to content
Postman API Testing Tips

How To Get Access Token Using Refresh Token Oauth2 Postman

API Testing Blog

Obtaining Access Tokens Using Refresh Tokens in OAuth 2.0 with Postman

In many OAuth 2.0 scenarios, access tokens have a limited lifespan. When an access token expires, you need a way to obtain a new one without requiring the user to re-authenticate. This is where refresh tokens come into play. Refresh tokens allow you to exchange them for new access tokens without user interaction, extending the session’s duration.

This guide explains how to use Postman to obtain a new access token using a refresh token in OAuth 2.0, covering various scenarios based on the specific requirements of your setup.

1. Understanding Refresh Tokens in OAuth 2.0

Refresh tokens are crucial for maintaining authenticated sessions without requiring continuous user intervention. They typically have a longer lifespan compared to access tokens. When your access token expires, you can send the refresh token to the authorization server to obtain a fresh access token. This is achieved through a dedicated endpoint, usually referred to as the “token endpoint.”

2. Essential Setup in Postman

Before delving into the practical steps, you need to set up Postman correctly.

  • Create a New Collection: Organize your requests by creating a new collection specifically for your OAuth 2.0 interactions. This keeps your tests structured and manageable.

  • Define Environment Variables: Employ environment variables to store sensitive data like your client ID, client secret, and endpoint URLs. This ensures that your API keys don’t appear directly in your requests and makes it easier to switch between different environments.

  • Configure Authentication: Postman provides built-in OAuth 2.0 support. Navigate to the “Authorization” tab in any request, and select “OAuth 2.0.”

3. Practical Example: Using a Refresh Token in Postman

Now let’s walk through a step-by-step example of obtaining a new access token using a refresh token in Postman.

1. Create a New Request: Begin by creating a POST request in your collection. This request will target the token endpoint defined by your OAuth 2.0 provider.

2. Configure Authorization: Under the “Authorization” tab in Postman, select “OAuth 2.0.” Populate the following fields:

* **Grant Type:** Use "refresh_token" as the grant type.
* **Token Name:** Provide a meaningful name (e.g., "Access Token").
* **Token Scope:** Specify the access scopes needed for your application.
* **Refresh Token:** This is the critical field. It's where you'll paste the actual refresh token. Postman allows using an environment variable, making it convenient to manage.

3. Define Request Body: The request body for the token endpoint typically includes the following parameters:

* **grant_type:**  Set to "refresh_token."
* **refresh_token:**  The actual refresh token you received during the initial authentication process. This should usually be passed as an environment variable to protect it from direct exposure.
* **client_id:** Your application's client ID.
* **client_secret:**  Your application's client secret.

4. Send the Request: Once you’ve configured the request body, click “Send” to submit it to the token endpoint.

5. Extract and Store the New Access Token: If successful, the response from the token endpoint will include a new access token. You need to extract this token and store it for subsequent API calls. You can achieve this using a Postman “Test” script:

// Extract the access token from the response
const newAccessToken = pm.response.json().access_token;


// Store the access token in an environment variable for future use
pm.environment.set("access_token", newAccessToken);

4. Understanding Refresh Token Expiration and Renewal

Refresh tokens also have an expiration time. Once a refresh token expires, it cannot be used to obtain new access tokens. When your refresh token nears its expiration, you’ll need to implement a strategy for refreshing it. This typically involves obtaining a fresh refresh token from the authorization server. The specific process for this will depend on your OAuth 2.0 flow.

5. Example Request Body (JSON):

{
    "grant_type": "refresh_token",
    "refresh_token": "{{refresh_token}}",
    "client_id": "{{client_id}}",
    "client_secret": "{{client_secret}}"
}

6. Example Test Script (JavaScript):

   pm.test("New Access Token Received", function () {
        pm.response.to.have.status(200);
        pm.expect(pm.response.json().access_token).to.be.a('string');
    });


    // Extract the new access token
    const newAccessToken = pm.response.json().access_token;


    // Store the new access token for future use
    pm.environment.set("access_token", newAccessToken);

7. Important Considerations

  • Security: When working with refresh tokens, prioritize security. Never expose them in client-side code. Use environment variables or secure storage mechanisms to protect them.
  • Scope Control: Ensure you only request the required scopes for your application’s functionality.
  • Error Handling: Implement robust error handling. If the refresh token is expired or invalid, you’ll need to handle this scenario appropriately.

8. Conclusion

By mastering the use of refresh tokens in OAuth 2.0 with Postman, you can streamline your API testing process and ensure secure, long-lasting sessions. This effectively reduces the need for frequent user authentication, enhancing the user experience and improving your application’s security posture. Remember to prioritize security best practices, particularly when handling sensitive data like refresh tokens.

API Testing Blog