Refresh token permissions



  • I'm confused about the API and refresh token permissions. Can you explain more?



  • There are two “worlds”, OAuth, and API only.

    API world (JSON in body, proprietary to FusionAuth):

    • Application > Security > Login API Settings > Generate Refresh Tokens (Generate a a refresh token when using the Login API)
    • Application > Security > Login API Settings > Enable JWT refresh (Allow a JWT to be refreshed using the /api/jwt/refresh API)

    OAuth world (form params, in body and in request, standardized):

    • Application > OAuth > Generate Refresh Tokens (Generate a refresh token if offline_access scope was requested)
    • Application > OAuth > Enabled Grants > Refresh Token (Allow a JWT to be refreshed using an refresh token) (edited)

    If you are living in the OAuth world, then you can disable the API access, and just use the OAuth configuration. And vice versa.