Long Lived and Short Lived Refresh Token

Is it possible to use the refresh token and get a different refresh token that is short lived?

The thought is to use the long lived Refresh Token to get Access Token and Short lived Refresh token for the authenticated user.


Hi @rohitj

As refresh tokens can be used without a user’s consent to extend the access to a resource, what would be the scenario in which an app would need a second refresh token and not be able to use the main one?

Hi Dragos,

We have a scenario where

  1. User authenticates to an internal Auth service.
  2. Internal Auth System in turn needs to authenticate to Okta to get Access/ID/Refresh token.
  3. Auth service then saves the Refresh token for future use. If in the future we enable biometric auth (where no password is involved), then the saved refresh token can be used until it expires.
  4. Auth service returns the Access Token/ID token to the mobile app.
  5. Mobile app uses the Access Token/ID token.

What I was hoping to do was to issue a short lived refresh token to mobile app.


Hi @rohitj

Thank you for providing the scenario. At the moment, we do not support this functionality, however I will mark it as a feature request in order to be visible to our engineering team for a future product enhancement.