🔁

Refresh Token

Session Management

Authentication Principle of Least Privilege (PoLP) Session Management Access Token

Long-lived credential used to obtain new access tokens; must be protected and rotated.

Definition

Refresh tokens are used to mint new short-lived access tokens. They should be stored securely, bound to a client/device when possible, and rotated on use with revocation support.

In plain English Long-lived credential used to obtain new access tokens; must be protected and rotated.

Why this matters

Why it matters: Compromised refresh tokens enable long-term account access; rotation and revocation reduce impact.

Example

Example: Implement refresh token rotation and detect reuse to identify theft and terminate sessions.

Refresh Token

Definition

Why this matters

Example

Accessibility Settings

Text Size

Theme

Contrast Level

Language & Content

Need help with a term? Open the glossary