Oauth - Refresh token

Card Puncher Data Processing


When an access token expires, developers can use an optional refresh token to request a new access token without having to ask the user to enter their credentials again.

Refresh tokens are credentials used to obtain:

  • access tokens when the current access token becomes invalid or expires,
  • additional access tokens with identical or narrower scope (access token may have a shorter lifetime and fewer permissions than authorized by the resource owner).


A refresh token is a string representing the authorization granted to the client by the resource owner.

The string is usually opaque to the client.

The token denotes an identifier used to retrieve the authorization information.

Unlike access tokens, refresh tokens are intended for use only with token endpoint (authorization servers component) and are never sent to resource servers.



Refresh tokens are issued to the client by the token endpoint (authorization server component).

Issuing a refresh token is optional at the discretion of the authorization server. If the token endpoint (authorization server component) issues a refresh token, it is included when issuing an access token


Get the first refresh token

Client gets resources until the access token is valid

Client asks for new access token with refresh token

Documentation / Reference

Recommended Pages
Card Puncher Data Processing
Authentication - Token

A token is a authentication material Token-based authentication is implemented by: generating a token when the user authenticates and then setting that token in the Authorization header of each...
Card Puncher Data Processing
OAuth - Implicit Grant and flow

The implicit grant is a grant type (flow) that issued directly an access token. (It does not support the issuance of refresh tokens). This grant type is called implicit, as no intermediate credentials...
Card Puncher Data Processing
OAuth - Token Endpoint

The token endpoint is an authorization endpoint used by the client to obtain an access token by presenting its: authorization grant or refresh token. The token endpoint is used with every authorization...
Card Puncher Data Processing
Oauth - Access Token

An access token is a token representing an access authorization created during: a implicit grant flow or a authorization code flow session identifier It is a string representing an access authorization...
Card Puncher Data Processing
Oauth - Authorization Code Flow

The authorization code grant type (flow) works with an intermediate credential called a authorization code. It is a indirect and redirection-based flow that is optimized for confidential clients. The...
Card Puncher Data Processing
Oauth - Client Authentication

authentication method for a client in Oauth. The client MUST NOT use more than one authentication method in each request. Client authentication is used for: Enforcing the binding of refresh tokens...
Card Puncher Data Processing
Oauth - Credential

in OAuth Credential Type Type Description Used to access the protected resources Used to get a access token (and eventually a refresh token The final credential that grant...
Card Puncher Data Processing
Oauth 2.0 - Authorization framework

This section talks OAuth 2.0. (OAuth 2.0 replaces OAuth 1.0) The following two specifications provide a general framework for third-party applications (know as the client) to obtain and use limited...

Share this page:
Follow us:
Task Runner