> ## Documentation Index > Fetch the complete documentation index at: https://docs.insforge.dev/llms.txt > Use this file to discover all available pages before exploring further. # Refresh access token > Refresh access token using refresh token. - Web clients: Use httpOnly refresh token cookie with X-CSRF-Token header - Mobile/Desktop/Server clients: Send refreshToken in request body ## OpenAPI ````yaml https://raw.githubusercontent.com/InsForge/InsForge/main/openapi/auth.yaml post /api/auth/refresh openapi: 3.0.3 info: title: Insforge Authentication API version: 2.0.0 description: Authentication endpoints with separated auth and profile tables servers: [] security: [] paths: /api/auth/refresh: post: tags: - Client summary: Refresh access token description: > Refresh access token using refresh token. - Web clients: Use httpOnly refresh token cookie with X-CSRF-Token header - Mobile/Desktop/Server clients: Send refreshToken in request body parameters: - name: client_type in: query schema: type: string enum: - web - mobile - desktop - server default: web description: > Client type determines how refresh tokens are handled: - web: Refresh token from httpOnly cookie, requires X-CSRF-Token header - mobile/desktop/server: refreshToken provided in request body, new refreshToken returned in response - name: X-CSRF-Token in: header schema: type: string description: >- CSRF token received from login/register response (required for web clients only) requestBody: content: application/json: schema: type: object properties: refreshToken: type: string description: >- Refresh token (required for mobile/desktop/server clients only) responses: '200': description: Token refreshed successfully content: application/json: schema: type: object properties: user: $ref: '#/components/schemas/UserResponse' accessToken: type: string csrfToken: type: string nullable: true description: >- New CSRF token for subsequent refresh requests (web clients only) refreshToken: type: string nullable: true description: >- New refresh token for mobile/desktop/server clients (must be persisted for next refresh) '401': description: No refresh token provided or user not found '403': description: Invalid CSRF token components: schemas: UserResponse: type: object properties: id: type: string format: uuid email: type: string format: email profile: type: object nullable: true additionalProperties: true description: User profile data (name, avatar_url, and custom fields) properties: name: type: string avatar_url: type: string format: uri metadata: type: object nullable: true additionalProperties: true description: System metadata (device ID, login IP, etc.) emailVerified: type: boolean providers: type: array items: type: string createdAt: type: string format: date-time updatedAt: type: string format: date-time ````