Skip to main content
POST
/
api
/
sys
/
users
/
token
/
refresh
Get a one-time JWT token
curl --request POST \
  --url https://spaces.nexudus.com/api/sys/users/token/refresh \
  --header 'Authorization: Basic <encoded-value>'
{
  "WasSuccessful": true,
  "Value": {},
  "Status": 123,
  "Message": {},
  "Errors": "<any>",
  "401 Unauthorized": {}
}

Get a one-time JWT token

Issues a short-lived, opaque server-side token tied to the authenticated customer’s session. The portal uses this token exclusively to build redirect URLs that require the customer to land in an authenticated state on the legacy server-rendered side of Nexudus — for example, when opening a file download or navigating to a server-rendered page from within the React portal. The token is placed in the URL (?t=) and is not the bearer token itself.
This is not an OAuth token-refresh operation. It does not rotate the bearer token or the refresh_token held by the client. Use POST /api/token with grant_type=refresh_token to renew an expiring bearer token instead.

Authentication

Requires a valid customer bearer token.

Request Body

This endpoint accepts no body parameters. Send the request with no body; authentication is established entirely via the Authorization header.

Response

Returns an ActionConfirmation envelope.
WasSuccessful
boolean
required
true when a server-side token was issued successfully. The component rendering the authenticated link should remain disabled until this is true.
Value
string | null
The short-lived opaque token string. Append this as the t query parameter when constructing authenticated redirect URLs, e.g. /user/login?server=true&t={Value}&redirectUrl=.... null when WasSuccessful is false.
Status
number
HTTP-style status code mirrored in the response body. 200 on success, 500 on failure.
Message
string | null
Human-readable message. Usually null on success.
Errors
any
Validation or server errors. null on success.

Examples

Successful token refresh

POST /api/sys/users/token/refresh
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

```json
{
  "WasSuccessful": true,
  "Value": "a3f8c2d1e5b74091bc6e2f3a4d5c6b7e",
  "Status": 200,
  "Message": null,
  "Errors": null
}

Using the token in a redirect URL

Once WasSuccessful is true, construct the authenticated URL as follows:
{NativeHomeUrlWithLanguage}/user/login?server=true&t={Value}&redirectUrl={encodeURIComponent(targetPath)}
For example:
https://app.example.com/en/user/login?server=true&t=a3f8c2d1e5b74091bc6e2f3a4d5c6b7e&redirectUrl=%2Fen%2Finvoices%2Fdownload%2F42

Use Cases

Logging the user into the portal

When you need to authenticate a user and redirect them into the portal (e.g., after completing an e-commerce checkout, verifying an email, or activating a magic link), use this endpoint to obtain a short-lived JWT and redirect the browser to the portal login URL:
  1. Obtain the JWT — call POST /api/sys/users/token/refresh with a valid bearer token
  2. Redirect the user — navigate to :portal_url/login?t=:jwt on the Nexudus server URL
    // After obtaining the JWT from the endpoint
    const jwtToken = tokenData?.Value

    // Redirect the user to the portal login
    window.location.href = `${portal_url}/login?t=${jwtToken}`
Optionally append redirectUrl to send the user to a specific page after login:
const targetPath = `/${location_web_address}/dashboard/personal`
window.location.href = `{portal_url}/login?t=${jwtToken}&redirectUrl=${encodeURIComponent(targetPath)}`
The JWT token is single-use and expires quickly, making this a secure way to transfer authentication between systems.

Getting a bearer token for API requests

If you need to make authenticated API calls on behalf of the customer (rather than redirecting them), use the Exchange JWT endpoint (POST /api/sys/users/exchange) instead. It converts a short-lived server-issued JWT into a standard bearer token that can be used in the Authorization header for subsequent API requests. See Exchange JWT for details.

TypeScript Integration

import endpoints from '@/api/endpoints'
import { useTypedData } from '@/api/fetchData'
import { createShape } from '@/helpers/shape-helper'
import { ActionConfirmation } from '@/types/ActionConfirmation'

const endpoint = endpoints.system.auth.refresh()

// Request only the two fields needed to build the redirect URL
const shape = createShape<typeof endpoint.type>()(['Value', 'WasSuccessful'])

const { resource: tokenData } = useTypedData(httpClient, endpoint, shape, { method: 'post' })

// tokenData?.WasSuccessful === true means the link is ready to use
// tokenData?.Value is the opaque token to embed in the redirect URL
const wrappedUrl = `${business.NativeHomeUrlWithLanguage}/user/login?server=true&t=${tokenData?.Value}&redirectUrl=${encodeURIComponent(href)}`

Usage in Portal

ContextSource file
Authenticated redirect links (e.g. file downloads, PDF views)src/components/AuthenticatedLink.tsx

Error Responses

401 Unauthorized
error
The bearer token is missing, expired, or invalid. The customer must sign in again via POST /api/token.
MethodEndpointDescription
POST/api/tokenExchange email and password (or a refresh token) for a new bearer token
POST/api/sys/users/exchangeExchange a server-issued JWT for a bearer token
GET/api/auth/media/customerObtain a short-lived JWT for accessing protected media files