Refresh Token change?

Hi I may be understanding wrong the purpose of a refresh token but If I configure in okta that refresh token will never expire and use the endpoint to get a refresh token should I receive always the same refresh token?

I am using v1/token endpoint to get a refresh token but this seems to be returning different values in different environments…I am confused about this behavior.

If the refresh_token can change, what’s the proper way of getting a refresh_token


What are you passing to the /v1/tokens endpoint?

If it is something like a new code for a user, or resource owner’s username and password, you will get a different refresh token. If you are using the refresh grant, then you should be getting back the same token. Does that make sense?

1 Like

So the question should be how do I get the refresh token using /oauth2/v1/token endpoint? I did not find an example or indications on how to do that

You need to request the offline_access scope during the initial OAuth flow. If you do that, you’ll get a refresh token (in addition to access and ID tokens). See here: How to get a refresh token

1 Like