Auth
Refresh token
Rotate the session and issue fresh auth cookies.
POST
Rotates the refresh token and issues a new access token. The refresh token is read from the
The new access token and rotated refresh token are delivered as httpOnly
refreshToken cookie if present, or from the request body. This endpoint requires no auth middleware.
Body
The refresh token to rotate. Optional — if omitted, the value is read from the
refreshToken cookie.token and refreshToken cookies — they are not returned in the JSON body. The previous refresh token stays valid for a short grace window to absorb concurrent requests.