Refresh tokens are used to generate additional access tokens. A refresh token is returned with the access token when exchanging an authorization code as part of the three-legged OAuth processes, and it can be used as long as the access token remains active.
The new access tokens can have the same expiration and scopes as the original access token, or can be specified to have a shorter lifespan as well as a smaller subset of scopes from the original access token. New access tokens can be generated in order to replace the original token or generated to serve as an additional token. You can also use refresh token calls to fully expire the original access and refresh tokens and any permissions granted by the user.
We suggest using refresh tokens in the following conditions:
- Replacing access tokens that may have been compromised (be sure to revoke the original access token); or
- Giving a third party that is also a part of your ORCID integration more limited access and/or access for a limited time.