Refresh tokens
A Refresh token is an opaque token that contains the information required to obtain a new access token. A refresh token is long-lived, as opposed to short-lived access tokens and ID tokens.
A refresh token is an OAuth 2.0-specific token. It is issued as part of the authorization flow. However, it is only issued when the client uses the authorization_code grant type and the Issue refresh tokens option is selected in the web client configuration.
For mobile applications, refresh tokens are issued by enabling the PIN authentication in the app configuration page.
Refresh tokens can have a validity specified, so that those are revoked upon usage after a certain amount of time.
Note
Ensure that refresh tokens are stored securely and they are not leaked. Leaking refresh tokens means that a user account can be compromised.
