OAuth 2.0 tokens

In OAuth 2.0, the Authorization Server issues access tokens to client apps that want to access resources in your registered APIs. In the authorization code grant flow, the Authorization Server’s response for each access token also includes a refresh token that client apps use to generate new access tokens.

Access token
A short-lived JSON web token that represents client app credentials. The Authorization Server provides an access token to a client app in all three available OAuth 2.0 flows (implicit grant, authorization code grant, and client credentials). Edge servers validate an access token and, if the validation is successful, forward a client request to origin for further validation. For security reasons, the access token’s predefined lifespan is 1800 seconds.

For headers and claims in an access token, see Access token headers and claims.

For a complete sample Authorization Server response that includes an access token, see sections on each available OAuth flow in Supported OAuth 2.0 flows.

Refresh token
An opaque token with a longer lifespan than an access token, used to generate a new access token when the current access token expires. The Authorization Server provides refresh tokens only in the authorization code grant flow that applies to confidential client apps. A client app must store a refresh token in a secure environment. The refresh token’s predefined lifespan is 20000 seconds.

For a complete sample Authorization Server response that includes a refresh token, see the Authorization code grant flow section.