Oauth - Refresh token


When an access token expires, developers can use an optional refresh token to request a new access token without having to ask the user to enter their credentials again.

Refresh tokens are credentials used to obtain:

  • access tokens when the current access token becomes invalid or expires,
  • additional access tokens with identical or narrower scope (access token may have a shorter lifetime and fewer permissions than authorized by the resource owner).


A refresh token is a string representing the authorization granted to the client by the resource owner.

The string is usually opaque to the client.

The token denotes an identifier used to retrieve the authorization information.

Unlike access tokens, refresh tokens are intended for use only with token endpoint (authorization servers component) and are never sent to resource servers.



Refresh tokens are issued to the client by the token endpoint (authorization server component).

Issuing a refresh token is optional at the discretion of the authorization server. If the token endpoint (authorization server component) issues a refresh token, it is included when issuing an access token


Get the first refresh token

Client gets resources until the access token is valid

Client asks for new access token with refresh token

Documentation / Reference

Powered by ComboStrap