Issuing a refresh token for an authorized application

Authorized applications can be configured to issue refresh tokens to extend access token validity without requiring users to reauthenticate.

By default, authorized applications do not issue refresh tokens.

If the application does not request refresh tokens, keep the Issue Refresh Token toggle off to disable issuing refresh tokens.

When the refresh token option is enabled, the application receives a refresh token together with an access token. The refresh token is used to obtain a new access token after the current one expires.

By default, the refresh token rotates periodically, for example, every eight hours. Application teams must use the latest rotated refresh token until it rotates again.

If the application team prefers not to rotate the refresh token, they can disable the Roll Refresh toggle. Disabling this setting also makes the Refresh Token Grant Lifetime infinite.

Application teams can modify the Refresh Token Grant Lifetime to define how long the refresh token remains valid. If the value is set to zero, the refresh token remains valid indefinitely. However, if a refresh token remains idle for more than 30 days, it is invalidated automatically.

After a refresh token expires or is revoked, the authorized application must reinitiate authorization using the original grant.