Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreifomsdvyzrofj3moxkwh5nkihukb7m7lpzlpciscp5ttqjxpym6fa",
    "uri": "at://did:plc:5sgu76a53rz3n6unbykmovqy/app.bsky.feed.post/3mloeufokjuo2"
  },
  "description": "A refresh token is a long-lived credential issued alongside a short-lived access token, used to obtain new access tokens without prompting the user to authenticate again. Refresh tokens trade convenience for risk: longer life means a wider compromise window, so they are stored more carefully and handled more strictly than access tokens.\n\n\nHow it works\n\nWhen the user authorizes a client, the authorization server issues both an access token (valid for minutes) and a refresh token (valid for days t",
  "path": "/engineering-glossary/refresh-token-oauth/",
  "publishedAt": "2026-05-12T18:04:56.000Z",
  "site": "https://sahilkapoor.com",
  "tags": [
    "OAuth 2.0",
    "OIDC",
    "JWT",
    "Bearer Token",
    "Session",
    "PKCE",
    "Authorization Server"
  ],
  "textContent": "**A refresh token** is a long-lived credential issued alongside a short-lived access token, used to obtain new access tokens without prompting the user to authenticate again. Refresh tokens trade convenience for risk: longer life means a wider compromise window, so they are stored more carefully and handled more strictly than access tokens.\n\n## How it works\n\nWhen the user authorizes a client, the authorization server issues both an access token (valid for minutes) and a refresh token (valid for days to months, often with rotation). When the access token expires, the client posts the refresh token to the token endpoint with `grant_type=refresh_token` and receives a new access token, optionally with a new refresh token.\n\n## Storage considerations\n\n  * **Server-rendered web apps:** refresh tokens belong server-side, never in the browser.\n  * **Single-page apps:** PKCE with short-lived access tokens and a refresh token in an HttpOnly cookie, or silent renewal via the auth server.\n  * **Native apps:** stored in the platform secure keystore (Keychain on iOS, Keystore on Android).\n  * **Rotation:** issuing a new refresh token on every use and invalidating the previous one limits replay if a refresh token leaks.\n\n\n\n🔗\n\n**Related Terms**\nOAuth 2.0, OIDC, JWT, Bearer Token, Session, PKCE, Authorization Server.",
  "title": "Refresh Token",
  "updatedAt": "2026-05-13T19:15:14.406Z"
}