Skip to content

Refresh Tokens

Auth Service-issued refresh tokens are available for Keycloak and Microsoft Entra deployments that use Auth Service token exchange.

Auth0 and generic OIDC deployments rely on the identity provider’s token behavior instead of Auth Service refresh-token workflows.

Refresh tokens allow sessions or integrations to obtain a new access token without asking the user to sign in again. Rotation reduces risk by replacing a refresh token after use.

  • Treat refresh tokens as secrets.
  • Store them only in approved secure storage.
  • Rotate and revoke them according to customer policy.
  • Investigate repeated reuse or unexpected refresh failures.

If refresh fails, confirm the deployment uses Keycloak or Microsoft Entra token exchange, the refresh token has not expired or been reused outside policy, and the user still has required platform access.