Glossary / Authorization
Refresh Token
A refresh token is a long-lived credential an application uses to obtain new access tokens without making the user sign in again, letting access tokens stay short-lived for security.
Also: refresh token
A refresh token lets an application keep a user signed in without prompting them repeatedly. Access tokens expire quickly to limit risk, and when one expires the application presents its refresh token to the authorization server to get a fresh access token silently.
Because refresh tokens last longer, they are a more valuable target, so they need careful handling. Good practice includes storing them securely, rotating them on each use so a stolen token is quickly invalidated, and revoking them on logout or when abuse is detected.
For CIAM, refresh tokens are the mechanism behind a smooth customer experience, where a person stays logged in across sessions while the access tokens doing the real work remain short-lived and low-risk.
Sources
- IETF RFC 6749, The OAuth 2.0 Authorization Framework: https://datatracker.ietf.org/doc/html/rfc6749
Related terms
Standards
- IETF RFC 6749