Refresh Session

cURL

curl --request POST \
  --url https://grid.squads.xyz/api/grid/v1/auth/refresh-session \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "encryption_public_key": "<string>",
  "kms_payload": {
    "provider": "privy",
    "session": {
      "Privy": {
        "privy_access_token": "<string>",
        "refresh_token": "<string>",
        "session": {
          "expires_at": 1,
          "wallets": [
            {
              "additional_signers": [
                {
                  "signer_id": "<string>",
                  "override_policy_ids": [
                    "<string>"
                  ]
                }
              ],
              "address": "<string>",
              "chain_type": "solana",
              "created_at": 1,
              "id": "<string>",
              "policy_ids": [
                "<string>"
              ],
              "exported_at": 1,
              "imported_at": 1,
              "owner_id": "<string>",
              "public_key": "<string>"
            }
          ],
          "authorization_key": "<string>",
          "encrypted_authorization_key": {
            "ciphertext": "<string>",
            "encapsulated_key": "<string>",
            "encryption_type": "<string>"
          }
        },
        "token": "<string>",
        "user_id": "<string>"
      }
    }
  }
}
'

{
  "data": {
    "kms_payload": {
      "provider": "privy",
      "session": {
        "Privy": {
          "privy_access_token": "<string>",
          "refresh_token": "<string>",
          "session": {
            "expires_at": 1,
            "wallets": [
              {
                "additional_signers": [
                  {
                    "signer_id": "<string>",
                    "override_policy_ids": [
                      "<string>"
                    ]
                  }
                ],
                "address": "<string>",
                "chain_type": "solana",
                "created_at": 1,
                "id": "<string>",
                "policy_ids": [
                  "<string>"
                ],
                "exported_at": 1,
                "imported_at": 1,
                "owner_id": "<string>",
                "public_key": "<string>"
              }
            ],
            "authorization_key": "<string>",
            "encrypted_authorization_key": {
              "ciphertext": "<string>",
              "encapsulated_key": "<string>",
              "encryption_type": "<string>"
            }
          },
          "token": "<string>",
          "user_id": "<string>"
        }
      }
    }
  },
  "metadata": {
    "request_id": "<string>",
    "timestamp": "2023-11-07T05:31:56Z"
  }
}

POST

api

grid

auth

refresh-session

cURL

curl --request POST \
  --url https://grid.squads.xyz/api/grid/v1/auth/refresh-session \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "encryption_public_key": "<string>",
  "kms_payload": {
    "provider": "privy",
    "session": {
      "Privy": {
        "privy_access_token": "<string>",
        "refresh_token": "<string>",
        "session": {
          "expires_at": 1,
          "wallets": [
            {
              "additional_signers": [
                {
                  "signer_id": "<string>",
                  "override_policy_ids": [
                    "<string>"
                  ]
                }
              ],
              "address": "<string>",
              "chain_type": "solana",
              "created_at": 1,
              "id": "<string>",
              "policy_ids": [
                "<string>"
              ],
              "exported_at": 1,
              "imported_at": 1,
              "owner_id": "<string>",
              "public_key": "<string>"
            }
          ],
          "authorization_key": "<string>",
          "encrypted_authorization_key": {
            "ciphertext": "<string>",
            "encapsulated_key": "<string>",
            "encryption_type": "<string>"
          }
        },
        "token": "<string>",
        "user_id": "<string>"
      }
    }
  }
}
'

{
  "data": {
    "kms_payload": {
      "provider": "privy",
      "session": {
        "Privy": {
          "privy_access_token": "<string>",
          "refresh_token": "<string>",
          "session": {
            "expires_at": 1,
            "wallets": [
              {
                "additional_signers": [
                  {
                    "signer_id": "<string>",
                    "override_policy_ids": [
                      "<string>"
                    ]
                  }
                ],
                "address": "<string>",
                "chain_type": "solana",
                "created_at": 1,
                "id": "<string>",
                "policy_ids": [
                  "<string>"
                ],
                "exported_at": 1,
                "imported_at": 1,
                "owner_id": "<string>",
                "public_key": "<string>"
              }
            ],
            "authorization_key": "<string>",
            "encrypted_authorization_key": {
              "ciphertext": "<string>",
              "encapsulated_key": "<string>",
              "encryption_type": "<string>"
            }
          },
          "token": "<string>",
          "user_id": "<string>"
        }
      }
    }
  },
  "metadata": {
    "request_id": "<string>",
    "timestamp": "2023-11-07T05:31:56Z"
  }
}

This endpoint refreshes expired authentication sessions for Grid Accounts and returns new encrypted credentials. It implements a two-tier approach to handle different expiration scenarios automatically.

Using the Grid API directly requires advanced configurations. Grid SDK is the recommended way to authenticate accounts. It handles authentication, key management, automatic failover, and transaction signing. Learn more about the Grid SDK in the Grid SDK guide.

This endpoint requires an active bearer token from a previous authentication. For initial authentication, use Initiate Authentication followed by Verify OTP.

How Session Refresh Works

Grid automatically handles different token expiration states:

Case 1: Re-authentication

If the user token is still valid but the session needs refreshing, the endpoint re-authenticates using the existing token to obtain new encrypted credentials.

Case 2: Token Refresh

If the user token has expired, the endpoint uses the refresh token to obtain a new user token, then re-authenticates to get new encrypted credentials.

When to Use This Endpoint

Use this endpoint when:

Session credentials expire: Your authentication session has expired and you need new credentials
Token rotation: Implementing proactive token rotation for enhanced security
Long-running applications: Maintaining continuous access without requiring user re-authentication

Automatic Handling The endpoint automatically determines which case of refresh to use based on the token expiration state. You don’t need to specify which approach to use.

Required Configuration

You must provide:

kms_payload: Contains the current session information including tokens
encryption_public_key: Your HPKE public key for encrypting new credentials

The endpoint returns new encrypted credentials that can be decrypted using your private key.

Complete Implementation Guide

For comprehensive implementation details including:

HPKE keypair generation with P-256 curve and DER formatting
Encryption public key creation
Authorization key decryption using ECDH + HKDF + ChaCha20-Poly1305
Session management and token handling
Error handling and retry strategies

See the Primary Provider Integration guide.

Response Data

Upon successful refresh, you receive:

New session credentials: Encrypted with your public key
Updated tokens: Fresh user token, access token, and refresh token
Provider information: Current KMS provider details

The refreshed session remains valid until expiration, allowing you to continue making authenticated requests to Grid API endpoints.

Supported Providers

Currently supported KMS providers:

Privy: Full support for two-tier session refresh
Turnkey: Coming soon

Error Handling

Common error scenarios:

400 Bad Request: Invalid encryption public key or malformed payload
401 Unauthorized: Refresh token expired or invalid, user must re-authenticate
500 Internal Server Error: Service error, retry with exponential backoff

Authorizations

Authorization

string

header

required

Your Grid API key from the Grid Dashboard

Body

application/json

encryption_public_key

string

required

HPKE public key for encryption

kms_payload

object

KMS provider payload (optional - if not provided, will use HTTP-only cookie)

Show child attributes

Response

Session refreshed successfully

data

object

required

Show child attributes

metadata

object

required

Show child attributes

Verify OTP Create Spending Limit

⌘I

API Updates

Account Management

Passkeys

Authentication

Spending Limits

Standing Orders

Proposals

Payment Intents

Solana Support

KYC Operations

Virtual Accounts

Advanced

Refresh Session

How Session Refresh Works

When to Use This Endpoint

Required Configuration

Complete Implementation Guide

Response Data

Supported Providers

Error Handling

Authorizations

Body

Response

API Updates

Account Management

Passkeys

Authentication

Spending Limits

Standing Orders

Proposals

Payment Intents

Solana Support

KYC Operations

Virtual Accounts

Advanced

Documentation Index

​How Session Refresh Works

​When to Use This Endpoint

​Required Configuration

​Complete Implementation Guide

​Response Data

​Supported Providers

​Error Handling

Authorizations

Body

Response

How Session Refresh Works

When to Use This Endpoint

Required Configuration

Complete Implementation Guide

Response Data

Supported Providers

Error Handling