Health Gorilla access tokens have a limited lifetime (typically 1 hour). This page covers how to manage the full lifecycle of an OAuth 2.0 token, including refreshing expired tokens, validating active tokens, and revoking credentials when no longer needed.
Refreshing Tokens
If your access token expires and you’ve been issued a refresh_token, you can request a new access token without repeating the full authorization flow.
Refresh Token Request
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&client_id=your_client_id
&client_secret=your_client_secret
&refresh_token=your_refresh_token
Example Response
{
"access_token": "new_access_token",
"refresh_token": "new_refresh_token",
"expires_in": 3600,
"scope": "user/.",
"token_type": "Bearer"
}
Note: Refresh tokens also expire and may be revoked. If a refresh fails, your application must initiate a new authorization flow.
Validating Tokens
You can verify the status and metadata of an access token using the token introspection endpoint.
Token Validation Request
GET /oauth/info?access_token=your_token
Example Success Response
{
"client_name": "My App",
"client_id": "abc123",
"expires_in": 3589,
"scope": "user/."
}
If the token is invalid or expired, the server responds with:
{
"error": "invalid_request"
}
Revoking Tokens
You can revoke an access token or refresh token at any time using the revocation endpoint.
Revocation Request
GET /oauth/cancel?token=your_token
- Accepts either an access token or a refresh token.
- If you revoke an access token, the associated refresh token (if any) is also invalidated.
Success Response
HTTP 200 OK