A Refresh Token is a special kind of token that can be used to obtain a renewed access token. Care must be exercised with refresh tokens - they must be stored securely by an application as they essentially can be used to allow a user to remain authenticated forever.
Refresh tokens are supported for the following flows: authorisation code, hybrid and resource owner password credential flow. Clients needs to be allowed to request the offline_access scope to get a refresh token.
We support the following client configuration options for refresh tokens:
Refresh Token Usage
- the refresh token handle will stay the same when refreshing tokens
- the refresh token handle will be updated when refreshing tokens
Refresh Token Expiration
- the refresh token will expire on a fixed point in time (specified by the Absolute Refresh Token Lifetime below)
- when refreshing the token, the lifetime of the refresh token will be renewed (by the amount specified in Sliding Refresh Token Lifetime below). The lifetime will not exceed the absolute lifetime.
Absolute Refresh Token Lifetime
Maximum lifetime of a refresh token in seconds. The default is 2592000 seconds / 30 days
Sliding Refresh Token Lifetime
Sliding lifetime of a refresh token in seconds. The default is 1296000 seconds / 15 days