diff --git a/src/ohmyapi/builtin/auth/routes.py b/src/ohmyapi/builtin/auth/routes.py
index 3d7be7f..efda1b2 100644
--- a/src/ohmyapi/builtin/auth/routes.py
+++ b/src/ohmyapi/builtin/auth/routes.py
@@ -200,10 +200,14 @@ async def login(form_data: LoginRequest = Body(...)):
     )
 
 
+class TokenRefresh(BaseModel):
+    refresh_token: str
+
+
 @router.post("/refresh", response_model=AccessToken)
-async def refresh_token(refresh_token: str):
+async def refresh_token(refresh_token: TokenRefresh = Body(...)):
     """Exchange refresh token for new access token."""
-    payload = decode_token(refresh_token)
+    payload = decode_token(refresh_token.refresh_token)
     if payload.get("type") != "refresh":
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid refresh token"
@@ -219,7 +223,7 @@ async def refresh_token(refresh_token: str):
     new_access = create_token(
         claims(TokenType.access, user), ACCESS_TOKEN_EXPIRE_SECONDS
     )
-    return AccessToken(token_type="bearer", access_token=access_token)
+    return AccessToken(token_type="bearer", access_token=new_access)
 
 
 @router.get("/introspect", response_model=Dict[str, Any])