Refresh Token

A longer-lived credential used to obtain new access tokens without re-authenticating the user. Refresh tokens should be one-time-use (rotated on each exchange) and bound to the client. Storing them carelessly is one of the most common identity security failures.