After an access token is generated, sometimes you might have to refresh or renew the old token due to expiration or security concerns. You use the refresh token grant when a new access token is needed. With this grant type, the refresh token acts as credentials that are issued to the client by the authorization server. Issuing a refresh token is optional. If the authorization server issues a refresh token, it is included when issuing an access token. Refresh tokens are issued for all other grant types other than the implicit grant as recommended by the OAuth 2.0 specification.
| Tip |
|---|
Tip: Be sure to keep the refresh token private, similar to the access token as this token issues access tokens without user interactions. |
...