Perform a POST request to /oauth/token with parameters client_id, client_secret, code, redirect_uri and grant_type=authorization_code. After following these steps, you will have an access token and a refresh token. The access token is valid for 2 hours, while the refresh token currently remains valid for 60 days.

With the refresh token, you can request a new access token / refresh token pair: Perform a POST request to /oauth/token with parameters: client_id, client_secret, refresh_token, redirect_uri and grant_type=refresh_token. Each refresh token can be used only once. As soon as the new access token is used to access the API for the first time, the previous refresh token will be revoked.