diff --git a/src/main/java/org/gcube/common/authorization/utils/secret/JWTSecret.java b/src/main/java/org/gcube/common/authorization/utils/secret/JWTSecret.java
index 7057a16..6f26ffd 100644
--- a/src/main/java/org/gcube/common/authorization/utils/secret/JWTSecret.java
+++ b/src/main/java/org/gcube/common/authorization/utils/secret/JWTSecret.java
@@ -16,6 +16,7 @@ import org.gcube.common.authorization.library.utils.Caller;
 import org.gcube.common.authorization.utils.clientid.RenewalProvider;
 import org.gcube.common.authorization.utils.user.KeycloakUser;
 import org.gcube.common.authorization.utils.user.User;
+import org.gcube.common.keycloak.KeycloakClientFactory;
 import org.gcube.common.keycloak.model.AccessToken;
 import org.gcube.common.keycloak.model.RefreshToken;
 import org.gcube.common.keycloak.model.util.Time;
@@ -51,7 +52,8 @@ public class JWTSecret extends Secret {
 			if(Time.currentTimeMillis()>=(accessToken.getExp()-TOLERANCE)) {
 				expired = true;
 				if(refreshToken!=null) {
-					// TODO refresh
+					ObjectMapper mapper = new ObjectMapper();
+					KeycloakClientFactory.newInstance().refreshToken(getUsername(), mapper.writeValueAsString(refreshToken));
 					expired = false;
 				}
 			}