• Docs◥◤
    • Get Started
    • Concepts
    • Guides
    • Reference
  • Use Cases◥◤
    • Embed auth into your app
    • Overview
    • Authentication
    • Authorization
    • User Management
    • Publish an integration
    • Overview
  • Pricing
  • Blog
  • Support◥◤
    • Okta Developer Forums
    • developers@okta.com
Login Sign Up
Search
  1. Docs
  2. Guides
  3. Show Contents
    • Guides
    • Basics
      • Quickstart: Signing in your first user
        • Create your Okta organization
        • Using the Console
        • Add a user using Console
        • Register your app
        • Try signing in
        • Try our APIs and SDKs
      • Create an API token
        • Overview
        • Create the token
        • Token expiration and deactivation
        • Next steps
      • Enable CORS
        • Overview
        • Grant cross-origin access to websites
        • Test your configuration
        • Next steps
      • Find your Okta domain
        • Overview
        • Find your Okta domain
      • Find your application credentials
        • Overview
        • Find your Application's credentials
      • Share Application Key Credentials for IdPs across Apps
        • Overview
        • Generate a new credential for the source app
        • Update the source app to use the new certificate
        • Share the source app's key credential ID with the target app
        • Update the target app to use the new credential
        • Next steps
      • Set up SAML Tracer
        • Overview
      • Upgrade SAML Apps to SHA256
        • Overview
        • Get the app info
        • Generate a new application key credential
        • Update the key credential for the app to specify the new signing key id
        • Upload the new certificate to the ISV
        • Reverting to a SHA1 Certificate
      • Sign the Okta certificate with your own CA
        • Overview
        • List your apps
        • Generate a CSR
        • Sign the CSR
        • Publish a CSR with a certificate
        • Update the key credential
        • Clone the certificate
        • Upload the new certificate to the ISV
      • Set up self-service registration
        • Before you begin
        • Enable and configure a self-service registration policy
        • Disable the security image and additional self-service recovery options
        • Customize the sign-up link in the Widget
        • Next steps
    • Sign Users In
      • Add an external Identity Provider
        • Before you begin
        • Create an App at the Identity Provider
        • Create an Identity Provider in Okta
        • Register an App in Okta
        • Create the Authorization URL
        • Use the Identity Provider to sign in
        • Next steps
      • Add multifactor authentication
        • Prerequisites
        • Set up your Okta org for MFA
        • Test the Postman setup
        • Create a test User
        • Enroll a factor
        • Activate the factor
        • Verify the factor
        • Next steps
      • Mobile App
        • Unlock a mobile app with biometrics
          • Overview
          • Add and configure packages
          • Store tokens
          • Discard access tokens
          • Retrieve refresh token
          • Next steps
        • Build a custom sign-in UI in your mobile app
          • Before you begin
          • Create an Okta application
          • Add and configure packages
          • Build the primary authentication form
          • Handle authentication responses
          • Next steps
        • Sign users in to your mobile app
          • Before you begin
          • Define a callback route
          • Create an Okta application
          • Add and configure packages
          • Open the sign-in page
          • Get info about the user
          • Check for a session at startup
          • Keep the user signed in
          • Use the access token
          • Next steps
        • Share a sign-in session with native mobile apps
          • Overview
          • Session and persistent Single Sign-On
          • Configure Two OpenID Connect Native Apps
          • Set up the first mobile app
          • Create a second mobile app
          • Optional Settings
          • Next steps
      • Sign users in to your single-page application
        • Before you begin
        • Define a callback route
        • Create an Okta application
        • Install the SDK
        • Configure the SDK
        • Add a button to sign in
        • Handle the callback from Okta
        • Require authentication
        • Get info about the user
        • Use the access token
        • Next steps
      • Sign users in to your web application
        • Before you begin
        • Understand the callback route
        • Create an Okta application
        • Add and configure packages
        • Redirect to the sign-in page
        • Require authentication
        • Get info about the user
        • Next steps
      • Sign users in to your web application without redirection
        • Sign users in without redirection
        • Create an Okta application
        • Add and configure packages
        • Handle remediation
        • Exchange interaction code for tokens
        • Next steps
      • Sign users out
        • Before you begin
        • Define the sign-out callback
        • Sign users out of Okta
        • Sign users out of your app
        • Next steps
      • Configure Okta sign-on and App sign-on policies
        • Before you begin
        • Prompt for an MFA factor for a certain group
        • Prompt for an MFA factor when a user is outside the US
        • Next steps
    • Authorization
      • Implement the Authorization Code Flow
        • Overview
        • Set up your Application
        • Use the Authorization Code flow
        • Exchange the code for tokens
        • Next steps
      • Implement the Authorization Code Flow with PKCE
        • Overview
        • Set up your Application
        • Use the Authorization Code flow with PKCE
        • Exchange the code for tokens
        • Next steps
      • Create an Authorization Server
        • Overview
        • Create an authorization server
        • Create access policies
        • Create Rules for Each Access Policy
        • Create Scopes
        • Create Claims
        • Test the authorization server
      • Implement the Client Credentials Flow
        • Overview
        • Set up your Application
        • Create custom scopes
        • Use the Client Credentials flow
        • Next steps
      • Implement the Implicit Flow
        • Overview
        • Set up your Application
        • Use the Implicit flow
        • Next steps
      • Request user consent
        • Request user consent during authentication
        • Enable consent for scopes
        • Build the request
        • Verification
        • Revoke consent for a user
        • Troubleshooting
      • Implement the Resource Owner Password Flow
        • Overview
        • Set up your Application
        • Use the Resource Owner Password flow
        • Next steps
      • Tokens
        • Build a JWT for Client Authentication
          • Overview
          • Gather Claims Information
          • Build a JWT With a Shared Key
          • Build a JWT With a Private Key
          • Next Steps
        • Customize tokens returned from Okta with custom claims
          • Overview
          • Request a token that contains a custom claim
          • Add a custom claim to a token
          • Include app-specific information in a custom claim
          • Next steps
        • Customize tokens returned from Okta with a Groups claim
          • Overview
          • Request a token that contains a custom claim
          • Add a Groups claim for the Org Authorization Server
          • Next steps
        • Customize tokens returned from Okta with a dynamic allow list
          • Overview
          • Request a token that contains a custom claim
          • Add a Groups claim with a dynamic allow list
          • Use a dynamic group allow list with the Org Authorization Server
          • Use a dynamic group allow list with a Custom Authorization Server
          • Next steps
        • Customize tokens returned from Okta with a static allow list
          • Overview
          • Request a token that contains a custom claim
          • Add a Groups claim with a static allow list
          • Use a static group allow list with the Org Authorization Server
          • Use a static group allow list with a Custom Authorization Server
          • Next steps
        • Refresh access tokens
          • Overview
          • Refresh token rotation
          • Get a refresh token
          • Use a refresh token
          • Next steps
        • Revoke Tokens
          • Overview
          • Revoke an access token or a refresh token
          • Remove a User session
        • Work with Okta session cookies
          • Overview
        • Validate Access Tokens
          • Overview
        • Validate ID Tokens
          • Overview
    • Brand and Customize
      • Customize the Okta-hosted error pages
        • Overview
        • Edit the error page
        • Use macros
        • Customization examples
        • Next steps
      • Customize the Okta URL domain
        • Before you begin
        • Gather information
        • Enable the custom domain
        • Update other Okta settings
        • Create a custom domain with Cloudflare
        • Next steps
      • Style the Widget
        • Before you begin
        • Style the self-hosted Sign-In Widget
        • Style the Okta-hosted Sign-In Widget
        • Customization examples
        • Next steps
      • Customize SMS messages
        • Before you begin
        • Customize the Okta Default SMS message
        • Add a translation
        • Next Steps
      • Customize email notifications and email domains
        • Before you begin
        • Customize email templates
        • Configure a custom email domain
        • Next steps
    • OIN Partner Integrations
      • Build a SCIM provisioning integration
        • Overview
        • Prepare your SCIM service
        • Test your SCIM API
        • Connect your SCIM service with a new Okta integration
        • Configure your Okta integration
        • Check the attributes and corresponding mappings
        • Test your Okta integration
        • Run through OIN QA tests
        • Next Steps
      • OIDC and the OIN: A Developer Primer
        • Overview
        • Background
        • Protocol-level requirements
        • Multi-tenancy
        • OIN integration best practices
        • Next steps
      • Build a Single Sign-On (SSO) integration
        • Overview
        • Prepare your integration
        • Create your integration
        • Specify your integration settings
        • Test your integration
        • Next Steps
      • Submit an app integration
        • Overview
        • Prepare a customer-facing configuration guide
        • Configure general settings
        • Configure protocol-specific settings
        • Understand the submission process
        • Update your published integration
    • API Security
      • Implement OAuth for Okta
        • Overview
        • Create an OAuth 2.0 app in Okta
        • Define allowed scopes
        • Get an access token and make a request
        • Scopes and supported endpoints
      • Implement OAuth for Okta with a Service App
        • Overview
        • Create a public/private key pair
        • Create a service app and grant scopes
        • Create and sign the JWT
        • Get an access token
      • Protect your API endpoints
        • Before you begin
        • Add and configure packages
        • Require authentication
        • Configure CORS
        • Next steps
      • Configure an access policy
        • Overview
        • Limit which scopes some clients can access
        • Configure a custom access token lifetime per client
        • Next steps
    • Deploy to Production
      • Deployment checklist
        • Pre-launch checklist
      • Deploy your app
        • Overview
        • Java
        • JavaScript
        • Mobile
      • Migrate to Okta
        • Prerequisites
        • Bulk Migration with Credentials
        • Import Users with Inline Password Hooks
    • Hooks
      • Common Hook Set-up Steps
        • Overview
        • Setting up an external service
        • Adding Basic Authorization and Body Parsing
        • Troubleshooting hook implementations
      • Event Hook
        • Overview
        • Initial verification
        • Parse the Event Hook request
        • Examine the Event Object
        • Enable and verify Event Hook
        • Test the Event Hook
      • Password Import Inline Hook
        • Overview
        • Get submitted credentials
        • Check credentials against user store
        • Send response
        • Activate
        • Import Users
        • Test your hook
      • Registration Inline Hook
        • Overview
        • Add request code
        • Send response
        • Activate and enable
        • Preview, test, and troubleshoot

Next steps

On This Page

Read more
Loading...

    You should now understand how to refresh access and ID tokens using a refresh token.

    Read more

    Read more about the SDKs that support refresh token rotation and reuse detection:

    • Okta Auth SDK Guide - JavaScript (opens new window)
    • Okta Sign-in Widget Guide - JavaScript (opens new window)
    • Okta Sign-in Widget and Angular (opens new window)
    • Okta Auth JS and Angular (opens new window)
    • Okta Sign-in Widget and React (opens new window)
    • Okta Auth JS and React (opens new window)
    • Okta Sign-in Widget and Vue (opens new window)
    • Okta Auth JS and Vue (opens new window)
    Edit This Page On GitHub
    On This Page
    • Read more

    Visit okta.com

    Social

    • GitHub
    • Twitter
    • Forum
    • RSS Blog
    • YouTube

    More Info

    • Integrate With Okta
    • Blog
    • Release Notes
    • 3rd Party Notices
    • Community Toolkit

    Contact & Legal

    • Contact Our Team
    • Contact Sales
    • Contact Support
    • Terms & Conditions
    • Privacy Policy