Security

Refresh token

Long-lived OAuth credential to mint new access tokens.

In plain terms

Modern: rotate on every use, revoke the chain on reuse detection. Storage matters — httpOnly cookie or OS keychain, never localStorage.

Origin

In OAuth 2.0 (RFC 6749, 2012). Modern best practice — rotation-on-use plus reuse-detection — was popularised by Auth0 around 2020.

Where it shows up in production

Auth0 refresh token rotation Each refresh returns a new token; reuse of an old one revokes the entire chain.
AWS Cognito Refresh tokens last 30 days by default; rotation optional.

On Semicolony

Sources & further reading

Found this useful?