Oauth - Refresh token



When an access token expires, developers can use an optional refresh token to request a new access token without having to ask the user to enter their credentials again.

Refresh tokens are credentials used to obtain:

  • access tokens when the current access token becomes invalid or expires,
  • additional access tokens with identical or narrower scope (access token may have a shorter lifetime and fewer permissions than authorized by the resource owner).


A refresh token is a string representing the authorization granted to the client by the resource owner.

The string is usually opaque to the client.

The token denotes an identifier used to retrieve the authorization information.

Unlike access tokens, refresh tokens are intended for use only with token endpoint (authorization servers component) and are never sent to resource servers.



Refresh tokens are issued to the client by the token endpoint (authorization server component).

Issuing a refresh token is optional at the discretion of the authorization server. If the token endpoint (authorization server component) issues a refresh token, it is included when issuing an access token


Get the first refresh token

Client gets resources until the access token is valid

Client asks for new access token with refresh token

Documentation / Reference

Discover More
OAuth - Implicit Grant and flow

The implicit grant is a grant type (flow) that issued directly an access token. (It does not support the issuance of refresh tokens). This grant type is called implicit, as no intermediate credentials...
OAuth - Token Endpoint

The token endpoint is an authorization endpoint used by the client to obtain an access token by presenting its: authorization grant or refresh token. The token endpoint is used with every authorization...
Oauth - Client Authentication

authentication method for a client in Oauth. The client MUST NOT use more than one authentication method in each request. Client authentication is used for: Enforcing the binding of refresh tokens...
Oauth - Credential

This page lists all token used in OAuth Credential Type Type Description Used to access the protected resources Used to get a access token (and eventually a refresh token ...
Oauth - Flow (Abstract Protocol Flow)

The abstract OAuth 2.0 flow describes the interaction between the four roles. For each type of grant, you got a flow: Type / Flow Description Client Type (Public / Private) Direction Type Redirection...
Oauth 2.0 - Authorization framework

This section talks OAuth 2.0 (OAuth 2.0 replaces OAuth 1.0) The following two specifications provide a general framework for third-party applications (know as the client) to obtain and use limited...
What is a Oauth Access Token?

This page talks access token in the context of the OAuth specification. An access token is a token representing an access authorization created during: a implicit grant flow or a authorization code...
What is an access token?

A token is a authentication material An access token is a token (string) representing an access authorization. It is equivalent to a session identifier in format. It's a token that serves as delegation-specific...
What is the OAuth Authorization Code Flow?

The authorization code grant type (flow) works with an intermediate credential called a authorization code. It is a indirect and redirection-based flow that is optimized for confidential clients. The...

Share this page:
Follow us:
Task Runner