A refresh token is a credential used to obtain a new access token without forcing the user to reauthenticate every time a short-lived token expires.
A refresh token is a credential used to obtain a new access token without forcing the user to reauthenticate every time a short-lived token expires. In plain language, it helps a session continue safely by renewing access instead of making the user sign in again for every normal token timeout.
Refresh tokens matter because organizations often want access tokens to stay short-lived. Shorter-lived access reduces exposure, but users and applications still need a practical way to continue working without repeated login prompts.
They also matter because refresh tokens require stronger protection than ordinary access tokens. If they are exposed, an attacker may be able to keep obtaining fresh access for longer than intended.
Refresh tokens appear in OAuth flows, mobile applications, web sessions backed by token services, and OpenID Connect implementations. Teams connect them to Access Token, Token Revocation, Session Management, and Identity Provider.
They are part of the balance between security, usability, and session continuity.
A mobile application receives a short-lived access token plus a refresh token after the user signs in. When the access token expires later, the app uses the refresh token to obtain a new one instead of sending the user through the full login flow again.
A refresh token is not supposed to be used like an Access Token for ordinary API calls. Its main role is token renewal, not general resource access.
It is also different from simply extending an existing token forever. Good refresh-token handling still depends on expiration, storage protection, and revocation strategy.