Why do we need refresh token?

Refresh Tokens are credentials used to obtain access tokens . Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope.20 May 2017

The API returns a short-lived token (JWT), which expires in 15 minutes, and in HTTP cookies, the refresh token expires in 7 days. JWT is currently used for accessing secure ways on API, whereas a refresh token generates another new JWT access token when it expires or even before .

To use the refresh token, make a POST request to the service’s token endpoint with grant_type=refresh_token , and include the refresh token as well as the client credentials if required .

So why does a web application need a refresh token? The main reason to use refresh tokens in web applications is to reduce the lifetime of an access token . When a web application obtains an access token with a lifetime of five to 10 minutes, that token will likely expire while the user is using the application.