 What do you do when an access token is expired? You could have user login again or you could use a refresh token. When a user is successfully authenticated using token-based authentication and access token and an ID token are issued to the application. The ID token contains user information and the access token is used to make authenticated calls to an API. For security purposes, the access token should have a short lifespan. Once the access token is expired, the user will no longer have access and would need to login again. That's not a good experience. The application can use a refresh token to make a request to get a new access token. And as long as the refresh token is valid and unexpired, it can keep making calls to get a new access token without ever involving the user. If you wanna learn more about refresh tokens and how to use them, check out the video in the comments. This has been Identity in a Minute.