Refresh a token
Headers
Correlation id. Generated if omitted, echoed on every response, and written to the audit log. /send is the exception — there it is required, and it doubles as the idempotency key.
Request
Opaque 64-character hex token. Single-use — every /refresh consumes the token presented and returns a new one.
It is not a JWT and carries no readable claims. Only a hash of it is stored, so it cannot be recovered if lost — a lost refresh token just means calling /auth again.
Response
Echo of the inbound X-Request-Id, or a generated one.