The access token can expire. When it happens, the application must require a new token using the refresh token.
For refreshing the token, the client application needs to access
/oauth/token URL with the grant type refresh_token:
{
"client_id": $CLIENT_ID,
"client_secret": $CLIENT_SECRET,
"redirect_uri": $CALLBACK_URL,
"grant_type": "refresh_token",
"refresh_token": $REFRESH_TOKEN
}
It will return a JSON bringing the following keys:
{
"access_token": "the access token",
"token_type": "bearer",
"expires_in": "how much seconds to expire",
"refresh_token": "the refresh token",
"scope": "profile (maybe invite too)",
"created_at": "when it was created",
"api_token": "PW1 API token"
}