How Authentication Works - Refresh Tokens

  • 2 November 2016
  • 3 replies

Userlevel 4
Badge +9
We have had a lot of questions around getting started with authentication, so I wanted to make sure there are some materials that help explain this. The Webroot Unity API uses OAUTH 2 to generate Access and Refresh tokens. Each token has a different TTL, and is designed for specific usage. Best practices dictate that an access token should only be generated using GSM credentials once during development, and then after that, refresh tokens are used to keep the product authorized. Here are some flow charts to help explain how these different tokens are generated and used:

Initially, you will use your GSM credentials to generate your first Access token. This is a combination of your GSM username/password, and your API credentials that have been generated in the GSM console under Account Settings > API Access. (For more information on generating these credentials, please visit

Once this access token is generated, the GSM username/password combination may be removed from future authentication requests, and replaced with the refresh token, as shown above. Note that when using a refresh token for your /auth/token request, you will need to add the body key : value pairs of
refresh_token : {refresh token generated from access token}
grant_type : refresh_token
scope : *
Here is an example of the complete HTTP request for refreshing an access token with a refresh token:
POST /auth/token HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Basic {access_token}
Cache-Control: no-cache

3 replies

Badge +1

Ive Implemented the exact same, however the refresh token returned has an expiry of 5 mins instead of 14 days as mentioned in the guide

How to get a refresh token that is valid for 14 day?

Userlevel 4
Badge +9
Hi @rhasan,

Most likely you are still using the authentication token request, which would account for the shorter TTL. Please review this documentation, and if you still continue to run into issues please reach out to our support team.

Best regards,
Joseph R.
Product Manager, Integrations
We developed our Jupiter Server to take the hard work out of the authenticating to APIs.
CommitCRM and Webroot are supported.

For the WebRoot API, currently only /service/api/console/gsm is supported.

But importantly you can see that C# and Powershell are much simpler now.

Kind regards

Andrew Dent
Dentaur Pty Ltd