Skip to content

Silently refresh the RPT token

If you want to avoid having to respond to HTTP 401 errors to refresh the RPT token (see reauth on 401), you can opt to silently refresh the RPT token before it expires.


In this step by step guide we are assuming a service that acts on its own behalf.

Schematic overview

Silent Refresh Schema

Steps to follow

Beginning at the start, you want your service to start its initial authenticaton/authorization with Obelisk. This is a 2-phase protocol that requires an Auth Token to get the eventual RPT token that is required to talk to the Obelisk APIs.

Get Auth Token

To get the Auth token, you simply follow step 1.2 of the Auth details section. Temporarily store this auth token, because you will need it to request the RPT token.

Get RPT Token

To get the RPT token, you simply follow step 2 of the Auth details section. The access_token mentioned there, is the Auth Token acquired in our previous step. Now store the received RPT token and its refresh_token plus the expires_in time (which is in seconds). You will need it later. At the same time of receiving the RPT token, you have to schedule a refresh in the future. (see next step)

Schedule RPT refresh

Using the expires_in time of the RPT token minus some leeway (say 10 seconds), you can now schedule a refresh of the RPT token. This way the RPT token will be refreshed, before any 401 error occurs because it expired.

Do API request

Meanwhile, you can now do regular API calls by just adding a header Authorization with Bearer rpt_token, as explained in step 3 of the Auth details section.

Refresh RPT token

When the scheduled RPT refresh activates, refresh the RPT token. If the refresh_token is not expired yet (it shouldn't be if your service was not idle), you can simply refresh the RPT token, by following the procedure explained in step 4 of the Auth details section. Don't forget to save your new tokens and schedule a new RPT refresh (with the new tokens!). You should be able to call the Obelisk APIs again with the new tokens.

401 Unauthorized

If you encounter a 401 Unauthorized, this will likely be because your service/application was idle for longer than the RPT token validity time. If this happens, the most pragmatic way to cope with it, is by redoing the auth procedure from the start.


You could also opt to first check if the RPT refresh token is expired already. If it is not, you might be able to do a RPT refresh anyway. If it is already expired, redo the auth procedure from the start as mentioned.