Refresh Token.

A long-lived OAuth 2.0 credential the client uses to obtain new access tokens without re-authenticating the user.

Refresh token rotation with reuse detection is the most-effective single deployment hardening for OAuth in 2026. It catches token theft via the replay signal, often before the user notices anything is wrong.

Common questions

How long should refresh tokens live?

What is refresh token rotation?

Where should I store refresh tokens?

Related terms

In the guides

OAuth 2.1 Explained: What Changed and Why It Matters
OAuth 2.1 consolidates fifteen years of OAuth 2.0 practice into a single coherent specification. What it deprecates, what it requires, and how to migrate existing OAuth 2.0 code.
Session Management: JWTs vs Opaque Tokens, and How to Pick
JWT-based and opaque-token sessions trade off scale against revocability, the 2026 default is hybrid. Patterns, revocation, and where each is the right answer.