What is the purpose of a “Refresh Token”?

Question

I have a program that integrates with the YouTube Live Streaming API. It runs on timers, so its been relatively easy for me to program in to fetch a new Access Token every 5

Answer 1

"So I don't see how this is any more secure than just giving me an Access Token from the start and not bothering with the whole Refresh Token system." I struggled with the same question. The short answer is the refresh token is necessary to assure the credentials have not expired.

An example may help: I have a database that stores your medical records. You consent to sharing your medical records with your spouse. Your spouse uses their Access Token to read your records from my database. Two weeks from now your spouse checks again on your medical records and the refresh token is used to ensure they still have permission (from the authentication server) to view your records. The refresh token bypasses the need for your spouse to re-enter their credentials (username and password) to the authentication server, but it does ensure they still have legitimacy to access the resource. A never expiring Access Token would not know if you had revoked your spouse's rights to access your medical records.