When performing your initial request you can supply the offline_access scope and then the response will include an additional refresh_token field.

These refresh tokens have a much longer expiry than standard access tokens (typically around a month). They cannot be used for API requests and can only be used to generate new access tokens. Generating access tokens in this manner does not require interactive user access.

Method: POST

URL:  https://app.nationalcrimecheck.com.au/oauth2/token 

Request fields:

• client_id
• client_secret
• grant_type -- must be "refresh_token"
• refresh_token

Response fields:

• access_token -- the newly generated access token
• token_type -- always "Bearer"
• expires_in -- seconds until the access token expires
• scope -- scopes available for this token
• refresh_token -- if this is supplied, then the refresh token has been updated and future requests should use this new refresh token. If not supplied, then the existing refresh token is still valid and shoud continue to be used.

Refresh token expiry

Refresh tokens have a much longer expiry than access tokens, typically around a month; in contrast standard access tokens are only valid for several hours.

Each request to the refresh token will extend the expiry time of the refresh token.

When requesting a new access token, if the refresh_token field is returned then your stored refresh token should be updated to the new token. If this field is not returned then the existing refresh token is still valid and should continue to be used.