Orchestrator API OAuth2 - Get refresh token for confidential application


I’m trying to follow the documentation to authorize my external application with the Orchestrator.

The request to get the access token was simple and I got the following result:

    "access_token": "ey....",
    "expires_in": 3600,
    "token_type": "Bearer",
    "scope": "OR.BackgroundTasks.Read OR.Execution.Read OR.Folders.Read OR.Jobs.Read OR.Machines.Read OR.Robots.Read OR.Settings.Read OR.Tasks.Read OR.Users.Read"

This token is only valid for 1 hour so I want to exchange it for a refresh token.

To quote the documentation:

Access tokens expire in one hour. The external application can get a new access token without user interaction by exchanging a refresh token for it.
Refresh tokens are also valid for only one use and they expire after 60 days.

To do so, they must include offline_access in the scope parameter of the authorize request so that the authorization code can be used in a token request to get a refresh token.

If I understand this correctly, I have to send exactly the same request as before, but add offline_access to the scope.

Unfortunately, when I do that I’ll receive the following response:

    "error": "invalid_scope"

Does anyone know what’s going on?


1 Like

May I know how it was mentioned along the scope



This is my scope:

OR.Tasks.Read OR.BackgroundTasks.Read OR.Folders.Read OR.Settings.Read OR.Robots.Read OR.Machines.Read OR.Execution.Read OR.Users.Read OR.Jobs.Read offline_access

Edit: Just to make sure there’s no misunderstanding, I’m not trying to get refresh tokens for Microsoft, but the UiPath Orchestrator. Although since it’s all based on the OAuth2 specification, it should be the same.


I am also facing exact same issue. @tobias.stack did you manage to solve?


hello, I have this same doubt

I managed to get the access token without any problem, but it is better to work with the refresh token.

when I try to get the refresh token according to the documentation, I still get the access token as a result.

I am waiting for your help?

I realized that there is no refresh token for confidential applications with application scope. Only external applications with user scope can have a refresh token.


I guess that is the case as anytime I included the offline_access scope, I would get “invalid_scope” error. I think the documentation could use a little clarification, unless refresh tokens should be available to application scoped confidential applications as well.