Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.mirobody.ai/llms.txt

Use this file to discover all available pages before exploring further.

access_token is valid for 30 days. Clients should refresh within the 24h window before expiry to avoid 401 mid-business.

Endpoint

POST /oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&refresh_token=<refresh_token>&client_id=<any_client_identifier>
Note: this endpoint uses OAuth 2.0 form encoding, not JSON. client_id is required; for email-login you can pass any non-empty string (e.g. your app bundle id).

Response

OAuth 2.0 standard format: 
{
  "access_token":  "eyJhbGci...",
  "token_type":    "Bearer",
  "expires_in":    2592000,
  "refresh_token": "eyJhbGci...",
  "scope":         "mcp:read mcp:write"
}
  • HTTP 200 = success.
  • HTTP 401 with expired_token means the refresh_token expired or was revoked — clear local tokens and restart email login.
  • Each refresh issues both a new access_token and a new refresh_token. Replace both locally.

Error responses

{ "error": "expired_token", "error_description": "..." }
Common errors:
  • invalid_client — missing client_id.
  • expired_token — refresh_token expired.
  • invalid_grant — refresh_token invalid.

Client strategy

  • Cache access_token and expires_in; refresh proactively when < 24h remain.
  • On 401, try refresh once first; only on continued failure clear local tokens and re-login.