Monday, April 17, 2023, in Security One question which I frequently receive is: Why would you want to use long-lived refresh tokens that generate short-lived access tokens as commonly seen in OAuth 2.0, versus long-lived access tokens? Aren’t you simply replacing one long-lived token with another? Before diving into everything, some vocabulary to clarify: Definitions Access token: a secret token that clients can exchange with servers to get access to their resources. These can either be long-liv...