Two tokens with different jobs
A short lived access token authorizes API calls and expires within minutes. A longer lived refresh token is used only to obtain new access tokens, so the user does not log in repeatedly.
The danger is that a stolen refresh token grants long term access. Rotation is the defense.
How rotation works
Each time a refresh token is used, the server issues a new access token and a new refresh token, then invalidates the old refresh token. A refresh token is therefore single use.
Detecting theft
If an attacker steals a refresh token and uses it, then the real user later presents the same now invalidated token, the server sees a reuse of a retired token. That signals theft, so the server revokes the entire token family and forces a fresh login.
- Rotation limits how long a stolen token is useful.
- Reuse detection turns the theft into a loud, actionable signal.
Key idea
Refresh token rotation makes each refresh single use so that reusing a retired token reveals theft and triggers revoking the whole family.