Access tokens are valid for 60 minutes. When you get an access token, the response also includes a refresh token. The refresh token is valid for 30 days. At the end of your access token's lifetime, you can send the refresh token in a call to obtain a new access token and refresh token pair. You can now use the new access token for the next 60 minutes.

The original access token request requires user authentication. The refresh request does not require authentication.

Using the refresh token 'consumes' that token. It is valid for one use only. If you use the refresh token before the end of your access token's lifetime, the access token is also invalidated.

IMPORTANT: This page reflects recent improvements (starting December 22, 2017) to the authentication flow including revised URLs and token expiration periods. See the OAuth Migration Guide for details.

Generate a New Access Token Using the Refresh Token

The grant type must be "refresh_token". Copy the refresh token value to replace {refresh_token}:

curl -X POST "" \
  -H "Authorization: Basic {Base64 Encoded consumerKey and consumerSecret}" \
  -H "Accept:application/json" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=refresh_token&refresh_token={refresh_token}"

Authorization Header

The authorization header is gathered by base64-encoding the string "{consumerKey}:{consumerSecret}", e.g. via an online tool (like Then final authorization header is then looking like "Authorization: Basic ZXhhbXBsZV9jbGllbnRfaWQ6ZXhhbXBsZV9jbGllbnRfc2VjcmV0"

Response Example

This returns a new access token and user information:


Response Data

Parameter Description
access_token OAuth access token
expires_in The access token's expiration time in seconds (60 minutes)
token_type The type of the access token (always "Bearer")
refresh_token The token to use to obtain a new access token, for example, if the current access token has expired. The refresh token is valid for 30 days.
organizer_key GoTo product user organizer key
account_key GoTo product account key (may be blank)
account_type GoTo product type “personal” or “corporate” (may be missing or blank)
firstName GoTo product user organizer first name (G2M only, missing or blank for other products)
lastName GoTo product user organizer last name (G2M only, missing or blank for other products)
email GoTo product user organizer email (G2M only, missing or blank for other products)
version The version of the access token


This access token can now be used to authorize API requests by setting it in the Authorization header with the following format: "Authorization: Bearer {access_token}".

E.g. for the GET /me request of the Admin API:

curl -H "Accept: application/json" -H "Authorization: Bearer RlUe11faKeyCWxZToK3nk0uTKAL" ""

You can also use the access_token and organizer_key values in the API Reference page for the product, or in API calls in your client application.