Refresh Token
What is Refresh Token?
Refresh TokenLong-lived credential used to obtain new short-lived access tokens from an OAuth 2.0 authorization server without prompting the user to log in again.
Refresh tokens let an application maintain a session beyond the expiry of an access token. The client exchanges the refresh token at the authorization server's token endpoint and receives a fresh access token (and optionally a rotated refresh token). Because they grant long-term access, refresh tokens require strong protection: storage in HttpOnly cookies or secure enclaves, binding to client and device, rotation on each use, and detection of replay (revoke the whole chain on reuse). They should never be exposed to browser JavaScript. Mobile and SPA flows must use PKCE and rotation, per OAuth 2.1 guidance.
● Examples
- 01
POST /oauth/token with grant_type=refresh_token to renew an access token.
- 02
Rotating refresh tokens: the server invalidates the chain when an old token is presented twice.
● Frequently asked questions
What is Refresh Token?
Long-lived credential used to obtain new short-lived access tokens from an OAuth 2.0 authorization server without prompting the user to log in again. It belongs to the Identity & Access category of cybersecurity.
What does Refresh Token mean?
Long-lived credential used to obtain new short-lived access tokens from an OAuth 2.0 authorization server without prompting the user to log in again.
How does Refresh Token work?
Refresh tokens let an application maintain a session beyond the expiry of an access token. The client exchanges the refresh token at the authorization server's token endpoint and receives a fresh access token (and optionally a rotated refresh token). Because they grant long-term access, refresh tokens require strong protection: storage in HttpOnly cookies or secure enclaves, binding to client and device, rotation on each use, and detection of replay (revoke the whole chain on reuse). They should never be exposed to browser JavaScript. Mobile and SPA flows must use PKCE and rotation, per OAuth 2.1 guidance.
How do you defend against Refresh Token?
Defences for Refresh Token typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- identity-access№ 007
Access Token
Short-lived credential issued by an authorization server that a client presents to an API to access protected resources on a user's or service's behalf.
- identity-access№ 574
JWT (JSON Web Token)
Compact, URL-safe token format (RFC 7519) that carries signed JSON claims, widely used as access tokens, ID tokens, and session containers.
- identity-access№ 749
OAuth 2.0
An open authorization framework that lets a resource owner grant a third-party application limited, scoped access to an API without sharing credentials.
- identity-access№ 760
OpenID Connect (OIDC)
An identity layer built on top of OAuth 2.0 that lets clients verify a user's identity and obtain basic profile information via signed ID tokens.
- identity-access№ 1018
Session Management
The set of controls that issue, maintain, refresh, and revoke an authenticated session, binding a user's identity to subsequent requests until logout or expiration.
- identity-access№ 088
Bearer Token
An opaque or structured credential (RFC 6750) granting access to a resource simply by possession, without proof that the holder is the rightful owner.