Skip to main content

Refresh Tokens


Refresh Tokens must be stored securely.


The offline_access scope must be included in the authorization request scope parameter to allow for Refresh Tokens.

Refresh Token#

Access Tokens have a lifetime of 20 minutes. After an Access Token has expired or it becomes invalid, the Refresh Token grant type is used in order to obtain a new Access Token. By default, Refresh Tokens of TradeStation API Keys will be valid indefinitely. You can request that they are configured to expire and rotate every 40 minutes for increased application security by contacting Client Services.

To refresh your Access Token, make a POST request to the /oauth/token endpoint, using grant_type=refresh_token and header content-type:application/x-www-form-urlencoded. If your TradeStation API Key is configured to expiring and rotating Refresh Tokens, you will receive a new Refresh Token in the response, in addition to the new Access Token.

Token URL:



grant_typerequiredSet this to refresh_token.
client_idrequiredThe client application’s API Key.
client_secretoptionalThe secret for the client application’s API Key. Required for standard Auth Code Flow. Not required for Auth Code Flow with PKCE.
refresh_tokenrequiredThe refresh_token received with the access_token.

Example Request:

curl --request POST \
--url '' \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'grant_type=refresh_token' \
--data 'client_id=YOUR_CLIENT_ID' \
--data 'client_secret=YOUR_CLIENT_SECRET' \
--data 'refresh_token=YOUR_REFRESH_TOKEN'

Example Response:

"access_token": "eGlhc2xv...MHJMaA",
"expires_in": 1200,
"scope": "openid offline_access",
"id_token": "vozT2Ix...wGVFPQ",
"token_type": "Bearer"