A refresh token is the long-lived partner to a short-lived access token. When the access token expires, the client sends the refresh token to the token endpoint and receives a new access token (and usually a new refresh token too).
Why they exist
Access tokens should be short-lived to limit blast radius if they leak. But re-authenticating the user every few minutes is terrible UX. Refresh tokens bridge the gap — the user stays signed in while the access tokens rotate in the background.
Rotation and reuse detection
Modern OAuth best practice: every time a refresh token is used, issue a new one AND invalidate the old one. If you see an old refresh token being used again, that’s a leak signal — invalidate the entire family and force re-auth.
Storage
- Browsers: refresh token in an
HttpOnlycookie (not inlocalStorage) - Native apps: OS-level secure storage (Keychain, Android Keystore)
- Server-side: encrypted in a database
When you don’t need them
If your access token lives for 24 hours and your user is active within that window, refresh tokens are largely academic. They earn their complexity in high-activity sessions with short-lived access tokens.
See the full auth glossary for related terms.