A refresh token allows a website to request a new access token, even if the access token has expired. Refresh tokens follow the same format as access tokens, except they begin with the string
Atzr|. Refresh tokens are valid indefinitely, unless the user has removed the website or mobile app from the list of allowed apps for their account. Refresh tokens have a maximum size of 2048 bytes. A refresh token is specifically assigned to one client and cannot be used by another client.
Refresh tokens are returned only in the Authorization Code Grant.