The LUSID ACCESS token generated by your identity provider (the default being Okta) expires after 1 hour. Instead of going through the entire authentication flow every time your token expires, you can use a REFRESH token to generate a new ACCESS token each time you need one. 

If you aren't already familiar with the authentication process see getting started with the LUSID APIs and SDKs.

Obtaining application details

To generate a REFRESH token, you need to make POST request to your dedicated LUSID Okta tenant’s token endpoint using a set of authorisation details. The details for your applications can be collected from the Application Details page on LUSID's dashboard. To browse to the Applications Dashboard:

  1. Browse to your LUSID homepage (
  2. Select the Identity And Access Management Dashboard
  3. Select the Applications page and click on the View button of your application
  4. Collect application details from the Application Details screen.


LUSID Dashboard


Application details screen

(Note - if you cannot see the Identity and Access Management page, please follow-up with your LUSID administrator, as you may not have correct entitlements)

Making a request for access and refresh tokens

In this section we show how users can make requests for ACCESS and REFRESH tokens using the curl tool. As a first step, you will need to generate an ACCESS token. You can see a sample ACCESS token request below. Make sure that you include the "offline_access" in the scope parameter so that the server sends back a REFRESH token also. 

In the curl requests below, replace the token URL (i.e. the URL ending /v1/token) with the token URL identified in the Application Details window for this application.

Get an access and refresh token from Okta


To use the REFRESH token to generate a new ACCESS token you can make a POST request to the same URL as the initial authentication with a grant type of refresh_token and provide the REFRESH token in the body.

The main difference between this request and the initial request is that instead of sending your client id, client secret, username and password along with your request, you will instead need to send the client id and client secret in the authorization header using basic authentication.

Using a refresh token to generate a new access token


This request will return a new ACCESS token.