Glossary: Refresh TokenGlossary

A refresh token is security credential that allows an application to acquire a new access token to replace one that has expired without requiring the end user to re-authenticate (log in).

In OAuth 2, when the authorization server issues an access token to an application, it often issues an accompanying refresh token. When the access token expires, the application submits the refresh token to get a new access token.

Like access tokens, refresh tokens usually have a limited lifetime. This lifetime is often longer than an access token’s lifetime; this longer lifetime means that the end user doesn’t have to re-authenticate as often.

Since refresh tokens are generally longer-lived and are used to obtain new access tokens, they need to be stored and handled with greater care than access tokens.