> ## Documentation Index
> Fetch the complete documentation index at: https://docs.prelude.so/llms.txt
> Use this file to discover all available pages before exploring further.

# Refresh session

> Spend a refresh token and generate a new access token.



## OpenAPI

````yaml post /v1/session/refresh
openapi: 3.1.1
info:
  title: Prelude Session Frontend API
  version: 0.0.1
  description: The Prelude Frontend API for Session Management
  contact:
    email: support@prelude.so
servers:
  - url: https://{appId}.session.prelude.dev
    description: Production server
    variables:
      appId:
        default: changeme
        description: The appID
security: []
tags:
  - name: Login OTP
    description: Login and step-up via OTP (phone or email)
  - name: Login Email Password
    description: Login via email and password
  - name: Login OAuth
    description: Login via OAuth providers
  - name: Login Finalize
    description: Finalize a login flow and create a session
  - name: Login Migration
    description: Migrate sessions from a legacy authentication system
  - name: Session
    description: Session refresh and revocation
  - name: Session Management
    description: Authenticated session and identifier management
  - name: Step-Up
    description: Step-up authentication flow
  - name: Well-Known
    description: Public key discovery endpoints
  - name: Password
    description: Password compliancy and change password
paths:
  /v1/session/refresh:
    post:
      tags:
        - Session
      summary: Refresh session
      description: Spend a refresh token and generate a new access token.
      operationId: refreshSession
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/SessionRefreshRequest'
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SessionRefreshResponse'
          headers:
            Set-Cookie:
              schema:
                type: string
              description: Updated refresh token cookie
            X-Refresh-Token:
              schema:
                type: string
              description: The refresh token (DPoP flow)
            X-Refresh-Token-Expires-At:
              schema:
                type: string
                format: date-time
              description: The refresh token expiration time (DPoP flow)
            DPoP-Nonce:
              schema:
                type: string
              description: Server-issued DPoP nonce (RFC 9449)
        '400':
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/BadRequestError'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                oneOf:
                  - $ref: '#/components/schemas/UnauthorizedError'
                  - $ref: '#/components/schemas/InvalidDPoPProofError'
                  - $ref: '#/components/schemas/MissingDPoPProofError'
                  - $ref: '#/components/schemas/DPoPKeyMismatchError'
                  - $ref: '#/components/schemas/UseDPoPNonceError'
        '500':
          description: Internal Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/InternalError'
      security:
        - refreshCookieAuth: []
components:
  schemas:
    SessionRefreshRequest:
      type: object
      properties:
        step_up_token:
          type: string
          description: >-
            Optional step-up token to include additional scopes in the access
            token.
          examples:
            - eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9...
    SessionRefreshResponse:
      type: object
      properties:
        access_token:
          type: string
          examples:
            - eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9...
        expires_at:
          type: integer
          format: int64
          description: Unix timestamp of when the access token expires.
          examples:
            - 1717689600
      required:
        - access_token
        - expires_at
    BadRequestError:
      type: object
      properties:
        code:
          type: string
          enum:
            - bad_request
        type:
          type: string
          enum:
            - bad_request
    UnauthorizedError:
      type: object
      properties:
        code:
          type: string
          enum:
            - unauthorized
        type:
          type: string
          enum:
            - unauthorized
    InvalidDPoPProofError:
      type: object
      properties:
        code:
          type: string
          enum:
            - invalid_dpop_proof
        type:
          type: string
          enum:
            - unauthorized
    MissingDPoPProofError:
      type: object
      properties:
        code:
          type: string
          enum:
            - missing_dpop_proof
        type:
          type: string
          enum:
            - unauthorized
    DPoPKeyMismatchError:
      type: object
      properties:
        code:
          type: string
          enum:
            - dpop_key_mismatch
        type:
          type: string
          enum:
            - unauthorized
    UseDPoPNonceError:
      type: object
      properties:
        code:
          type: string
          enum:
            - use_dpop_nonce
        type:
          type: string
          enum:
            - unauthorized
    InternalError:
      type: object
      properties:
        code:
          type: string
          enum:
            - internal
        type:
          type: string
          enum:
            - internal
  securitySchemes:
    refreshCookieAuth:
      type: apiKey
      in: cookie
      name: __refresh_{app_id}

````