Sign in Subscribe
By Sahil Kapoor -

Refresh Token

A refresh token is a long-lived credential issued alongside a short-lived access token, used to obtain new access tokens without prompting the user to authenticate again. Refresh tokens trade convenience for risk: longer life means a wider compromise window, so they are stored more carefully and handled more strictly than access tokens.

How it works

When the user authorizes a client, the authorization server issues both an access token (valid for minutes) and a refresh token (valid for days to months, often with rotation). When the access token expires, the client posts the refresh token to the token endpoint with grant_type=refresh_token and receives a new access token, optionally with a new refresh token.

Storage considerations

  • Server-rendered web apps: refresh tokens belong server-side, never in the browser.
  • Single-page apps: PKCE with short-lived access tokens and a refresh token in an HttpOnly cookie, or silent renewal via the auth server.
  • Native apps: stored in the platform secure keystore (Keychain on iOS, Keystore on Android).
  • Rotation: issuing a new refresh token on every use and invalidating the previous one limits replay if a refresh token leaks.
🔗
Related Terms
OAuth 2.0, OIDC, JWT, Bearer Token, Session, PKCE, Authorization Server.

Subscribe to Sahil's Playbook

Clear thinking on product, engineering, and building at scale. No noise. One email when there's something worth sharing.
[email protected]
Subscribe
Mastodon