Learn about generating new user access tokens.
A refresh token lets your application obtain new user access tokens without requiring the user to re-authorise. Refresh tokens are valid for up to 20 years, enabling long-term access to user accounts.
You’ll receive a refresh token in the same response as the user access token.
User access tokens are valid for 12 hours by default. Use the refresh token to generate a new user access token before the token expires (Wise recommends a 6 hour refresh cadence).
Make a create an OAuth token request with grant_type set to refresh_token.
curl -X POST https://api.wise.com/oauth/token \
-u '<client_id>:<client_secret>' \
-d 'grant_type=refresh_token' \
-d 'refresh_token=<REFRESH_TOKEN>'When you use a refresh token to generate a new access token, the previous access token is immediately invalidated.
Your application must switch to the new token for all subsequent API calls. Any in-flight requests using the old token will receive a 401 invalid_token error.
- Encrypt refresh tokens at rest as they grant long-term access.
- Use centralised storage and avoid multiple services refreshing simultaneously.
- Monitor for anomalies as unusual refresh patterns may indicate compromise.
- If you suspect a token is compromised, prompt the user to re-authorise (for partners using the
authorization_codegrant) or request a new user access and refresh token pair (for partners using theregistration_codegrant flow).
An invalid token returns the error invalid_grant. A refresh token can be invalidated before its 20-year expiration for any of the following reasons:
- User revokes your application's access.
- User enables enhanced security on their account.
- Wise revokes token due to security concerns.
- Token validity period expires (if configured shorter than the default value).
- A new refresh token is generated via a registration code — this immediately invalidates the previous refresh token for that user
For embedded finance partners, or other partners that use the authorization_code grant type.
When a refresh token becomes invalid, your application should:
- Detect the
invalid_granterror from the token response. - Clear the stored access token and refresh token for that user.
- Redirect the user through the OAuth authorisation flow to obtain a new authorisation code, then exchange it for a new token pair.
Correspondent and enterprise partners typically don't have a user-facing OAuth redirect flow. If your refresh token is invalidated:
- Detect the
invalid_granterror from the token response. - Clear the stored tokens for that user or profile.
- Use your registration code to generate a new token pair via
POST /oauth/tokenwithgrant_type=registration_code. The registration code is your primary recovery mechanism — store it securely!- If the registration code is also invalid (for example, because the user reclaimed the account), contact api@wise.com for assistance.
Exchanging a registration code generates a new refresh token and immediately invalidates any previous refresh token for that user. Ensure your application updates its stored tokens immediately after the exchange.
A common cause of token errors is multiple services or instances refreshing the same token simultaneously. When two concurrent refresh requests are made:
- Both requests succeed and return different access tokens.
- Only the last token issued is valid — the first is immediately invalidated.
- Any service using the first token receives
401 invalid_tokenerrors.
To prevent situations where multiple services invalidate each other's tokens:
- Centralise token management: Use a single service or process responsible for refreshing tokens and distributing the current valid token to other services.
- Never refresh in parallel: If two refresh requests execute simultaneously, both will succeed, but only the token from the second response will be valid. The first token will immediately return
401 invalid_token. - Use locking or queuing: Implement a mutex or queue around your refresh logic to ensure only one refresh request is in-flight at any time.
These errors can occur when calling POST /oauth/token with grant_type=refresh_token:
| HTTP status | Error code | Cause |
|---|---|---|
400 | invalid_grant | The refresh token is expired, revoked, or not recognised. |
401 | invalid_client | Your client_id or client_secret is incorrect, or the Basic Auth header is malformed. |
400 | invalid_request | The grant_type parameter is missing from the request body. |
Example invalid_grant response:
{
"error": "invalid_grant",
"error_description": "Invalid refresh token (expired or revoked)"
}If your requests fail with 401 invalid_token immediately after a successful refresh:
- Check for concurrent refresh requests. Another service may have refreshed the token after you did, invalidating your token. Fetch the latest token from your central token store.
- Confirm you're using the new token. Verify your application updated its stored token and is not still using the previous access token.
- Check the environment. Sandbox tokens are not valid in production, and vice versa.