When an access token expires, developers can use an optional refresh token to request a new access token without having to ask the user to enter their credentials again.
Refresh tokens are credentials used to obtain:
A refresh token is a string representing the authorization granted to the client by the resource owner.
The string is usually opaque to the client.
The token denotes an identifier used to retrieve the authorization information.
Unlike access tokens, refresh tokens are intended for use only with token endpoint (authorization servers component) and are never sent to resource servers.
Refresh tokens are issued to the client by the token endpoint (authorization server component).
Issuing a refresh token is optional at the discretion of the authorization server. If the token endpoint (authorization server component) issues a refresh token, it is included when issuing an access token
where:
Get the first refresh token
Client gets resources until the access token is valid
Client asks for new access token with refresh token