Refresh Tokens
Similarly to access tokens, if you want to use a refresh token through GraphSpy, you will have to set it as the "Active Refresh Token". From that point, refreshing to a new access token in GraphSpy will automatically use the active refresh token by default.
There are multiple ways to set the active refresh token:
- From the Refresh Tokens List on the Refresh Tokens page, click on the checkmark icon (✓) to activate a specific refresh token
- On the Refresh Tokens page, enter the ID of the refresh token you wish to activate and click the
Set active tokenbutton - From the
Token OptionsSide Bar on any page, fill in the ID of the refresh token you wish to activate and click theSet active refresh tokenbutton
The sidebar also shows a quick summary of your current active refresh token. Since refresh tokens can't be decrypted, GraphSpy can not retrieve their exact expiry date. However, by default, these are valid for up to 90 days after creation. If you want to check whether your refresh token is still valid, the easiest option is to just try to request a new access token.
Check out the Using Access Tokens and Refresh To Access Token sections of the wiki for more information on how to generate an access token from a refresh token.
The Refresh Tokens page contains the following two sections:
The bottom section of the Refresh Tokens page shows a list of all refresh tokens stored in the GraphSpy database. If the refresh token was added through the device code flow, its description will automatically indicate through which device code (or more accurately which "user code") it was created. If the refresh token is created manually (see below), then the user can enter an optional custom description which can be used to indicate how this refresh token was obtained or for what it can be used.
Unlike Access Tokens, Refresh Tokens are encrypted, so their data can't be decoded. However, the raw token can still be seen using the dropdown icon, or it can be directly copied to your clipboard using the Copy icon.
The FOCI column shows an indication of whether the refresh token is for a Family of Client ID application or not. When the token is created automatically through the device code flow, GraphSpy will automatically detect whether the refresh token can be used Family of Client ID applications. If the refresh token is added manually by the user however, then the user itself will need to indicate whether the FOCI flag should be set or not. Regardless, this is just an indication and it will not affect the functionality of GraphSpy if you incorrectly set the FOCI flag or not.
The top section of the Refresh Tokens page allows a user to manually add a refresh token to the GraphSpy database. An optional username can be specified which allows to easier keep track of the identity linked to the token.
In the tenant field, either the Tenant ID or the Tenant domain needs to be specified. If a valid GUID is entered, GraphSpy will assume this is a Tenant ID. In all other cases, GraphSpy will interpret the input as a domain name and it will try to resolve the Tenant ID automatically.
The resource can be used to indicate for which resource this refresh token can be used, although if it is a Family of Client ID (FOCI) token, you will still be able to use it to refresh to access tokens for other FOCI resources. In this case, the FOCI checkbox can be enabled to make it easier to remember that this is a FOCI token.
Note that GraphSpy will do little to no validation of whether the input entered here is correct. Submitting an invalid value for the refresh token or specifying an incorrect tenant will result in the refresh token being unusable.
Refresh tokens will usually start with the prefix "0." followed by about 51 base-64 characters (A-Za-z0-9_-) and another dot (.), ending with another long base-64 encoded string.