How to Use Refresh Tokens

With OAuth 2.0, a Refresh Token is how a client renews their access_token after it has expired. You’ll know your user’s access token has expired when they try to make an API call. If it fails the response will have a key called "errors" with the value of an array. The first element in that array will have a key called errorType or message which will say something similar to "Expired Access Token”. The request you make to renew your access_token should be specified by whatever API you’re using. The format may be specific too. For Fitbit’s API the headers you set are like this:

headers: {"Authorization" => "Basic " +     Base64.encode64(ENV["FITBIT_CLIENT_ID"] + ":" + ENV["FITBIT_CLIENT_SECRET"])}

Assuming everything worked correctly, you’ll get a new access_token and refresh_token for your user and you can make more API calls.