For applications where the user can stay logged in for long durations , use of refresh tokens can reduce the load on authorization server by allowing short lived, signed, self contained tokens which can be read by resource server , hence making the hit to authorization server introspection endpoint on each access of api un necessary.

What are refresh tokens?

Refresh tokens can be used by client to get fresh access tokens from auth server for accessing the resource server. While access tokens are typically short lived refresh tokens are 

Typically refresh tokens would be used when the application user should stay logged in for longer durations.

Why not have long lived access tokens which can be blacklisted by auth server ?

In the scenario that we do not want the user to re authenticate again and again, instead of long lived refresh token why not simply have long lived access token?

The reason is that long lived self contained access tokens cannot be blacklisted. long lived opaque access tokens can be blacklisted but this increases load on authorization server.

Here is how refresh tokens can actually improve both performance and security

Opaque access token (auth server check required, slower for client, more load for auth server)


Signed access token (auth server check not required, faster for client, more scalable for auth server)


Short lived signed access token and long lived refresh token reducing latency for client and load on auth server



What are the other uses of refresh tokens?

Refresh tokens can be used for creating sliding sessions. Sliding sessions are are sessions which expire after a period of inactivity.