Refresh Token Rotation.
The OAuth pattern of issuing a new refresh token (and invalidating the old) on every refresh operation — bounding the replay window for stolen refresh tokens and enabling automatic theft detection.
The parallel-use detection is the often-missed benefit. When the attacker steals a refresh token and uses it (gets RT2), and then the legitimate client also uses RT1, the server sees both. The standard response is to revoke the entire family — RT1, RT2, and any access tokens issued from them — forcing re-authentication. This converts what would have been a silent token-theft success into a noisy detection signal.
Common questions
Why rotate refresh tokens?
What happens when a rotated refresh token is reused?
Does refresh token rotation break offline clients?
Related terms
In the guides
OAuth 2.1 Explained: What Changed and Why It Matters
OAuth 2.1 consolidates fifteen years of OAuth 2.0 practice into a single coherent specification. What it deprecates, what it requires, and how to migrate existing OAuth 2.0 code.
Token Lifetime Best Practices: Access, Refresh, ID, and Session Tokens in 2026
How to set access, refresh, ID, and session token lifetimes for CIAM in 2026, the trade-offs, the defaults that work, and the patterns that fail in production.
Token Management for AI Agents: Lifetimes, Rotation, and Revocation at Machine Speed
Agent tokens are stolen faster and used harder than human tokens. How to set lifetimes, rotate refresh tokens, scope per-tool, and detect anomalies in production agent deployments.