Skip to main content

Documentation

Token Management

"Happy path" tests
“Sad path” tests
Changelog

Token management refers to the ID token refresh and revocation processes. The ID token is used to enable secure communication.

Token required!

Obtain a token prior to completing this section.

"Happy path" tests

Test case	Task(s)	Expected result(s)
Refresh an ID token	Call the /token endpoint with the refresh_token.	Receive valid new ID and refresh tokens.
Refresh an expired ID token	1. Identify an id_token older than 24 hours. 2. Call the /token endpoint with the refresh_token.	Receive valid new ID and refresh tokens.
Revoke an ID token	1. Call the /revoke endpoint. 2. Attempt a call to the /accounts endpoint.	1. HTTP 200: OK (empty payload) 2. HTTP 401: Unauthorized Error payload: { "code": 602, "message": "Customer not authorized" }

“Sad path” tests

Please review our error codes documentation.

Test case	Task(s)	Expected result(s)
Refresh a used refresh_token.	Test a token refresh call with a refresh_token that has already been claimed.	HTTP 400: Bad Request Error payload: { "error": "invalid_request", "error_description": "Refresh token is invalid or has already been claimed by another client." }
Refresh with invalid client_secret.	Try a token refresh with an invalid client_secret.	HTTP 401: Unauthorized Error payload: { "error": "invalid_client", "error_description": "Invalid client credentials." }
Revoke with invalid client_secret.	1. Try the revoke token endpoint without a client_secret. 2. Try the revoke token endpoint with an incorrect client_secret.	1. HTTP 400: Bad Request Error payload: { "error": "invalid_request" } 2. HTTP 401: Unauthorized Error payload: { "error": "unauthorized_client" }
Obtain a token with invalid authorization code.	1. Use the /token endpoint with an expired code. 2. Use the /token endpoint with an incorrect code.	(both tasks) HTTP 400: Bad Request Error payload: { "error": "invalid_request", "error_description": "Invalid or expired code parameter." }
Obtain a token with an incorrect redirect_URI.	Use /token endpoint with an incorrect redirect_URI.	HTTP 400: Bad Request Error payload: { "error": "invalid_request", "error_description": "redirect_uri did not match URI from initial request." }
Obtain a token with a missing grant_type field.	1. Use /token endpoint with a missing grant_type field. 2. Use /token endpoint with an incorrect grant_type field.	HTTP 400: Bad Request Error payload: { "error": "invalid_grant" }
Obtain a token with an incorrect client_id.	1. Use /token endpoint with an incorrect clientId. 2. Use /token endpoint with an incorrect client_secret.	1. HTTP 401: invalid_client 2. HTTP 401 Unauthorized Error payload: { "error": "invalid_client", "error_description": "Invalid client credentials." }
Refresh a token without a refresh_token.	Use /token endpoint with grant_type=refresh_token without including the current refresh_token.	HTTP 400 Bad Request Error payload: { "error": "invalid_request", "error_description": "No refresh token in request." }

Changelog

Date	Update
2025-Jan-02	Original

Table of contents

"Happy path" tests
“Sad path” tests
Changelog

Testing Authentication Testing Endpoint Responses