Refresh-token exchange handler

POST 
/api/v1/auth/refresh

Validates the supplied refresh token, atomically rotates it for a new pair, and returns the new tokens. Reusing an already-rotated refresh token is treated as a theft signal: the entire token family is revoked so the legitimate session is also forced to re-authenticate. All error paths surface as 401 so the client falls through to its login-redirect fallback.

Request

Responses

200

Token refreshed successfully

401

Invalid, expired, or revoked refresh token