Skip to content

Using OAuth Refresh Tokens

When a seller authorizes your application via OAuth 2.0, you receive both a short-lived Access Token (1 hour) and a long-lived Refresh Token (1 year).

This guide explains how you can use Refresh Tokens to obtain new Access Tokens.

When to Use a Refresh Token

You should use your Refresh Token to get a new Access Token before your current Access Token expires, or after an API call fails with an authentication error indicating an expired token (e.g., a 401 Unauthorized response).

Exchanging a Refresh Token for a New Access Token

To get a new Access Token, make a POST request to the Depop token endpoint.

Token Endpoint URL

This is the same endpoint used to exchange the authorization code:

https://partnerapi.depop.com/api/v1/oauth2/access-token/

Request Parameters

The request must be sent with a Content-Type header of application/x-www-form-urlencoded and include the following parameters in the request body:

Parameter Required Description
grant_type Yes Must be refresh_token.
refresh_token Yes The long-lived refresh_token you received previously and stored securely.
client_id Yes Your application's Client ID.
client_secret Yes Your application's Client Secret. Required for authenticating your client request.

Try it out

If you followed the steps in the Your First OAuth Connection then you will have a refresh_token.

You can use Postman to make the request:

  1. Open the Seller API collection.
  2. Expand api/v1 > oauth2 and select the OAuth 2.0 token endpoint (authorization code exchange) request.
  3. Underneath the URL, click on the Body tab.
  4. Make sure it's set to x-www-form-urlencoded.
  5. Change the fields to match the ones described in the Request Parameters section above.

Success Response

If the request is valid, the token endpoint will return a 200 OK response with a JSON body containing a new Access Token and a new Refresh Token:

{
    "access_token": "pat_c89529c1f7c74d1ebc9e7a6e786a80d6_5b0b942be922f43d9f0bf7b7f2b38b9ea615cae2",
    "refresh_token": "prt_c89529c1f7c74d1ebc9e7a6e786a80d6_cc08fc9261021661e674dd18da195d2833e10e04",
    "expires_in": 3600,
    "token_type": "Bearer"
}

Note that:

  • You receive a new Refresh Token with every successful refresh request.
  • The previous Access Token and Refresh Token are immediately invalidated and cannot be used again.
  • You must securely store the new Refresh Token and use it for the next refresh request.
  • The new Refresh Token inherits the original expiration date of the grant (1 year from initial user consent).

Error Response

If the request fails (e.g., the refresh token is invalid, expired, revoked, or client authentication fails), the token endpoint will return an error response, typically with a 400 Bad Request or 401 Unauthorized status code and a JSON body:

{
    "code": 401,
    "error": "invalid_refresh_token",
    "message": "Invalid refresh token",
    "id": "4bf13c3d-2db8-4b25-a99f-75b019c92b98",
    "detail": "Invalid refresh token",
    "error_message": "Invalid refresh token",
    "error_description": "Invalid refresh token"
}