> ## Documentation Index
> Fetch the complete documentation index at: https://tahsil.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Rotate refresh token and issue new access token

> Accepts refreshToken in the body for non-browser clients or the HttpOnly refresh cookie for web clients.



## OpenAPI

````yaml /openapi/openapi.yaml post /auth/refresh
openapi: 3.1.0
info:
  title: Tahsil API
  version: 1.0.0
  description: >-
    Tahsil müşterilerinin web ve mobil uygulamalarda kullandığı tenant-scoped
    müşteri API sözleşmesi.
servers:
  - url: https://api.tahsil.dev
    description: Production
security:
  - bearerAuth: []
tags:
  - name: Operations - Health
    description: Public liveness and dependency readiness probes.
  - name: Identity - Auth
    description: User login, refresh and logout flows for token-based access.
  - name: Banking - Accounts
    description: Bank account aggregation endpoints available to customer tenants.
  - name: Banking - Transactions
    description: Bank transaction ingestion and retrieval endpoints.
  - name: Banking - Automation
    description: Tenant transaction matching rules, assignments and historical runs.
  - name: Banking - Polling
    description: Polling schedule definitions for bank connector queries.
  - name: Banking - Dashboard
    description: Flexible tenant dashboard analytics and widget query endpoints.
  - name: Audit - Connector Logs
    description: Customer-visible bank connector request/response audit trail.
  - name: Payments - Orchestration
    description: Tenant Virtual POS, rate plan and payment intent orchestration.
paths:
  /auth/refresh:
    post:
      tags:
        - Identity - Auth
      summary: Rotate refresh token and issue new access token
      description: >-
        Accepts refreshToken in the body for non-browser clients or the HttpOnly
        refresh cookie for web clients.
      operationId: postAuthRefresh
      parameters:
        - $ref: '#/components/parameters/XAuthMode'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AuthRefreshRequest'
      responses:
        '200':
          $ref: '#/components/responses/ItemResponse'
        '401':
          $ref: '#/components/responses/StatusResponse'
      security:
        - {}
        - refreshCookie: []
components:
  parameters:
    XAuthMode:
      name: x-auth-mode
      in: header
      required: false
      schema:
        type: string
        enum:
          - cookie
      description: >-
        Set to cookie for browser sessions. The refresh token is stored in an
        HttpOnly cookie and omitted from JSON.
  schemas:
    AuthRefreshRequest:
      type: object
      properties:
        refreshToken:
          type: string
        companyId:
          type:
            - string
            - 'null'
  responses:
    ItemResponse:
      description: Single entity response
      content:
        application/json:
          schema:
            type: object
            properties:
              status:
                type: boolean
              result:
                type: object
                additionalProperties: true
          example:
            status: true
            result:
              id: 64f000000000000000000001
    StatusResponse:
      description: Operation completed
      content:
        application/json:
          schema:
            type: object
            properties:
              status:
                type: boolean
          example:
            status: true
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
    refreshCookie:
      type: apiKey
      in: cookie
      name: tahsil_refresh

````

## Related topics

- [Authenticate user and issue token pair](/api-reference/identity--auth/authenticate-user-and-issue-token-pair.md)
- [Kimlik doğrulama](/baslangic/kimlik-dogrulama.md)
- [Revoke refresh token session](/api-reference/identity--auth/revoke-refresh-token-session.md)
- [Store or rotate encrypted provider credentials](/api-reference/banking--accounts/store-or-rotate-encrypted-provider-credentials.md)
- [5 dakikada başlayın](/baslangic/hizli-baslangic.md)
