> ## Documentation Index
> Fetch the complete documentation index at: https://developers.squads.so/llms.txt
> Use this file to discover all available pages before exploring further.
# Refresh Session
> Refresh an expired authentication session and obtain new encrypted credentials
This endpoint refreshes expired authentication sessions for Grid Accounts and returns new encrypted credentials. It implements a two-tier approach to handle different expiration scenarios automatically.
Using the Grid API directly requires **advanced configurations**. Grid SDK is
the recommended way to authenticate accounts. It handles authentication, key
management, automatic failover, and transaction signing. Learn more about the
Grid SDK in the [Grid SDK](/grid/v1/sdk-reference) guide.
This endpoint requires an active bearer token from a previous authentication.
For initial authentication, use [Initiate
Authentication](/grid/v1/api-reference/endpoint/authentication/post) followed
by [Verify OTP](/grid/v1/api-reference/endpoint/authentication/verify).
## How Session Refresh Works
Grid automatically handles different token expiration states:
If the user token is still valid but the session needs refreshing, the
endpoint re-authenticates using the existing token to obtain new encrypted
credentials.
If the user token has expired, the endpoint uses the refresh token to obtain
a new user token, then re-authenticates to get new encrypted credentials.
## When to Use This Endpoint
Use this endpoint when:
* **Session credentials expire**: Your authentication session has expired and you need new credentials
* **Token rotation**: Implementing proactive token rotation for enhanced security
* **Long-running applications**: Maintaining continuous access without requiring user re-authentication
**Automatic Handling** The endpoint automatically determines which case of
refresh to use based on the token expiration state. You don't need to specify
which approach to use.
## Required Configuration
You must provide:
1. **kms\_payload**: Contains the current session information including tokens
2. **encryption\_public\_key**: Your HPKE public key for encrypting new credentials
The endpoint returns new encrypted credentials that can be decrypted using your private key.
## Complete Implementation Guide
For comprehensive implementation details including:
* **HPKE keypair generation** with P-256 curve and DER formatting
* **Encryption public key creation**
* **Authorization key decryption** using ECDH + HKDF + ChaCha20-Poly1305
* **Session management** and token handling
* **Error handling** and retry strategies
See the [Primary Provider Integration](/grid/v1/api-reference/advanced/privy-signing) guide.
## Response Data
Upon successful refresh, you receive:
* **New session credentials**: Encrypted with your public key
* **Updated tokens**: Fresh user token, access token, and refresh token
* **Provider information**: Current KMS provider details
The refreshed session remains valid until expiration, allowing you to continue making authenticated requests to Grid API endpoints.
## Supported Providers
Currently supported KMS providers:
* **Privy**: Full support for two-tier session refresh
* **Turnkey**: Coming soon
## Error Handling
Common error scenarios:
* **400 Bad Request**: Invalid encryption public key or malformed payload
* **401 Unauthorized**: Refresh token expired or invalid, user must re-authenticate
* **500 Internal Server Error**: Service error, retry with exponential backoff
## OpenAPI
````yaml POST /api/grid/v1/auth/refresh-session
openapi: 3.1.0
info:
title: Grid v1 API
description: Grid v1 REST API for Solana-based smart account system
contact:
name: Grid API Support
url: https://squads.so
email: support@squads.so
license:
name: MIT
version: 1.0.0
servers:
- url: https://grid.squads.xyz
description: Production server
security:
- bearer_auth: []
tags:
- name: accounts
description: Smart account management operations
- name: spending-limits
description: Spending limit management
- name: standing-orders
description: Standing order operations
- name: transactions
description: Transaction management
- name: trade
description: Trade operations and management
- name: payments
description: Payment intent operations
- name: passkeys
description: Passkey management
- name: kyc
description: Know Your Customer operations
- name: external-accounts
description: External bank account management
- name: virtual-accounts
description: Virtual account management
- name: auth
description: Authentication operations
- name: proposals
description: Proposal management for multi-sig operations
- name: compliance
description: Compliance entity management and KYB/KYC operations
paths:
/api/grid/v1/auth/refresh-session:
post:
tags:
- accounts
operationId: handler
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/RefreshSessionRequestPayload'
required: true
responses:
'200':
description: Session refreshed successfully
content:
application/json:
schema:
$ref: >-
#/components/schemas/GridApiResponse_RefreshSessionResponsePayload
'400':
description: Invalid request parameters
'401':
description: Failed to refresh session
'500':
description: Internal server error
security:
- bearer_auth: []
components:
schemas:
RefreshSessionRequestPayload:
type: object
required:
- encryption_public_key
properties:
encryption_public_key:
type: string
description: HPKE public key for encryption
kms_payload:
oneOf:
- type: 'null'
- $ref: '#/components/schemas/KmsProvider'
description: >-
KMS provider payload (optional - if not provided, will use
HTTP-only cookie)
GridApiResponse_RefreshSessionResponsePayload:
type: object
required:
- data
- metadata
properties:
data:
type: object
required:
- kms_payload
properties:
kms_payload:
$ref: '#/components/schemas/KmsProvider'
metadata:
$ref: '#/components/schemas/Metadata'
KmsProvider:
type: object
required:
- provider
- session
properties:
provider:
$ref: '#/components/schemas/GridMPCProvider'
session:
$ref: '#/components/schemas/Session'
Metadata:
type: object
required:
- request_id
- timestamp
properties:
request_id:
type: string
timestamp:
type: string
format: date-time
GridMPCProvider:
type: string
enum:
- privy
- dynamic
- passkey
- turnkey
- external
Session:
oneOf:
- type: object
required:
- Privy
properties:
Privy:
$ref: '#/components/schemas/PrivySession'
- type: object
required:
- Turnkey
properties:
Turnkey:
$ref: '#/components/schemas/TurnkeySession'
- type: object
required:
- Passkey
properties:
Passkey:
$ref: '#/components/schemas/PasskeySession'
PrivySession:
type: object
required:
- user_id
- session
- token
- privy_access_token
- refresh_token
properties:
privy_access_token:
type: string
refresh_token:
type: string
session:
$ref: '#/components/schemas/AuthenticateResponse'
token:
type: string
user_id:
type: string
TurnkeySession:
type: object
required:
- user_id
- api_key_id
- credential_bundle
properties:
api_key_id:
type: string
credential_bundle:
type: string
user_id:
type: string
PasskeySession:
type: object
required:
- passkey_account
- pubkey
- relying_party_id
- session_key
properties:
passkey_account:
type: string
pubkey:
type: string
relying_party_id:
type: string
session_key:
$ref: '#/components/schemas/SessionKey'
AuthenticateResponse:
type: object
required:
- expires_at
- wallets
properties:
authorization_key:
type:
- string
- 'null'
encrypted_authorization_key:
oneOf:
- type: 'null'
- $ref: '#/components/schemas/EncryptedAuthorizationKey'
expires_at:
type: integer
format: int64
minimum: 0
wallets:
type: array
items:
$ref: '#/components/schemas/Wallet'
SessionKey:
type: object
description: >-
Grid v1 API SessionKey type that supports backward-compatible
deserialization
from both raw bytes array (old format) and base58 string (new format).
Always serializes to base58 string format.
required:
- key
- expiration
properties:
expiration:
type: integer
format: int64
minimum: 0
key:
type: string
example: '11111111111111111111111111111111'
EncryptedAuthorizationKey:
type: object
required:
- encryption_type
- encapsulated_key
- ciphertext
properties:
ciphertext:
type: string
encapsulated_key:
type: string
encryption_type:
type: string
Wallet:
type: object
required:
- id
- address
- created_at
- chain_type
- policy_ids
- additional_signers
properties:
additional_signers:
type: array
items:
$ref: '#/components/schemas/AdditionalSigner'
address:
type: string
chain_type:
$ref: '#/components/schemas/WalletChainType'
created_at:
type: integer
format: int64
minimum: 0
exported_at:
type:
- integer
- 'null'
format: int64
minimum: 0
id:
type: string
imported_at:
type:
- integer
- 'null'
format: int64
minimum: 0
owner_id:
type:
- string
- 'null'
policy_ids:
type: array
items:
type: string
public_key:
type:
- string
- 'null'
AdditionalSigner:
type: object
required:
- signer_id
properties:
override_policy_ids:
type: array
items:
type: string
nullable: true
signer_id:
type: string
WalletChainType:
type: string
enum:
- solana
- ethereum
- cosmos
- stellar
- sui
- tron
- bitcoin-segwit
securitySchemes:
bearer_auth:
type: http
scheme: bearer
description: Your Grid API key from the Grid Dashboard
````