Skip to main content
POST
/
api
/
sys
/
users
/
token
/
refresh
{
  "WasSuccessful": true,
  "Value": {},
  "Status": 123,
  "Message": {},
  "Errors": "<any>",
  "401 Unauthorized": {}
}

Refresh Token

Issues a short-lived, opaque server-side token tied to the authenticated customer’s session. The portal uses this token exclusively to build redirect URLs that require the customer to land in an authenticated state on the legacy server-rendered side of Nexudus — for example, when opening a file download or navigating to a server-rendered page from within the React portal. The token is placed in the URL (?t=) and is not the bearer token itself.
This is not an OAuth token-refresh operation. It does not rotate the bearer token or the refresh_token held by the client. Use POST /api/token with grant_type=refresh_token to renew an expiring bearer token instead.

Authentication

Requires a valid customer bearer token.

Request Body

This endpoint accepts no body parameters. Send the request with no body; authentication is established entirely via the Authorization header.

Response

Returns an ActionConfirmation envelope.
WasSuccessful
boolean
required
true when a server-side token was issued successfully. The component rendering the authenticated link should remain disabled until this is true.
Value
string | null
The short-lived opaque token string. Append this as the t query parameter when constructing authenticated redirect URLs, e.g. /user/login?server=true&t={Value}&redirectUrl=.... null when WasSuccessful is false.
Status
number
HTTP-style status code mirrored in the response body. 200 on success, 500 on failure.
Message
string | null
Human-readable message. Usually null on success.
Errors
any
Validation or server errors. null on success.

Examples

Successful token refresh

POST /api/sys/users/token/refresh
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

{
  "WasSuccessful": true,
  "Value": "a3f8c2d1e5b74091bc6e2f3a4d5c6b7e",
  "Status": 200,
  "Message": null,
  "Errors": null
}

Using the token in a redirect URL

Once WasSuccessful is true, construct the authenticated URL as follows: 
{NativeHomeUrlWithLanguage}/user/login?server=true&t={Value}&redirectUrl={encodeURIComponent(targetPath)}
For example: 
https://app.example.com/en/user/login?server=true&t=a3f8c2d1e5b74091bc6e2f3a4d5c6b7e&redirectUrl=%2Fen%2Finvoices%2Fdownload%2F42

TypeScript Integration

import endpoints from '@/api/endpoints'
import { useTypedData } from '@/api/fetchData'
import { createShape } from '@/helpers/shape-helper'
import { ActionConfirmation } from '@/types/ActionConfirmation'

const endpoint = endpoints.system.auth.refresh()

// Request only the two fields needed to build the redirect URL
const shape = createShape<typeof endpoint.type>()(['Value', 'WasSuccessful'])

const { resource: tokenData } = useTypedData(httpClient, endpoint, shape, { method: 'post' })

// tokenData?.WasSuccessful === true means the link is ready to use
// tokenData?.Value is the opaque token to embed in the redirect URL
const wrappedUrl = `${business.NativeHomeUrlWithLanguage}/user/login?server=true&t=${tokenData?.Value}&redirectUrl=${encodeURIComponent(href)}`

Usage in Portal

ContextSource file
Authenticated redirect links (e.g. file downloads, PDF views)src/components/AuthenticatedLink.tsx

Error Responses

401 Unauthorized
error
The bearer token is missing, expired, or invalid. The customer must sign in again via POST /api/token.
MethodEndpointDescription
POST/api/tokenExchange email and password (or a refresh token) for a new bearer token
POST/api/sys/users/exchangeExchange a server-issued JWT for a bearer token
GET/api/auth/media/customerObtain a short-lived JWT for accessing protected media files