Hello@Andre Meira,
Thank you for providing additional context!
The first time you access the authorization grant URL, you will be prompted to grant consent for that OAuth consumer to make requests on your account's behalf. Once you provide the consent,you will be redirected to the redirect_url configured in the OAuth consumer, with the Authorization code as part of this URL.
1. This Authorization code can be used one-time only to exchange for an access token.
curl -X POST -u "client_id:secret" \ https://bitbucket.org/site/oauth2/access_token \ -d grant_type=authorization_code -d code={code}
2. You can get a new code by accessing the authorization grant URL again :
https://bitbucket.org/site/oauth2/authorize?client_id={client_id}&response_type=code
3. Or directly get a new access token by using the refresh token that was included in the response of 1. :
curl -X POST -u "client_id:client_secret" https://bitbucket.org/site/oauth2/access_token -d grant_type=refresh_token -d refresh_token=<refresh_token>
Every time you exchange the code for an access token or use the refresh token to get a new access token, the access token will be different. However, the refresh token will be always the same. An access token expires in 2 hours, while the refresh_token has no expiration. Generating a new access token will not revoke the previous access tokens, and they will continue to expire after 2 hours of their creation.
It's important to note though that if you change the scopes of your OAuth consumer, the previously generated access and refresh tokens will be revoked and the user will have to Authorize the app again. A new refresh token will be generated when you first exchange your new Authorization code for an access token. If you try to use the old refresh token after the Oauth scope change, you will get the"Invalid refresh token" error.
Hope that helps to clarify yourquestions!
Thank you,@Andre Meira!