Access tokens are usually short-lived, so their damage window is limited. Refresh tokens can mint new access tokens repeatedly, which means possession can preserve access for months or longer. That makes the refresh token the persistence mechanism and the access token only the temporary execution credential.
Why Refresh Tokens Are the Real Persistence Problem
The risk difference is not just lifespan, but what each token can do after it is stolen. An access token is typically scoped for a specific resource and expires quickly, so compromise often creates a narrow window. A refresh token, by design, is a reusable credential that can keep issuing fresh access tokens, which makes it a far better persistence mechanism for attackers.
That distinction shows up repeatedly in NHI incidents where long-lived credentials survive long after the original event. In the 52 NHI Breaches Analysis, token misuse and credential persistence patterns are a recurring theme, and the same dynamic appears in the Salesloft OAuth token breach. Current guidance from the OWASP Non-Human Identity Top 10 and NIST Cybersecurity Framework 2.0 both point toward short-lived access and rapid revocation as practical defenses.
In practice, many security teams only learn the difference when an attacker keeps coming back through a refreshed session after the original access token has already expired.
How the Compromise Actually Works in Practice
Once a refresh token is exposed, the attacker does not need to keep the original access token alive. They can exchange the refresh token for a new access token, use it until it expires, and repeat the cycle. That makes the refresh token the durable key, while the access token becomes only a temporary execution credential. The security question is therefore not “Can the access token expire?” but “Can the refresh path be abused after compromise?”
That is why modern controls focus on token binding, rotation, revocation, and narrow scopes. For NHI programs, the practical goal is to make stolen credentials useless quickly and to make reuse detectable. The Guide to the Secret Sprawl Challenge is relevant here because refresh tokens often become dangerous when they are copied into tickets, chats, logs, or CI/CD systems. GitGuardian’s State of Secrets Sprawl 2026 found that 64% of valid secrets leaked in 2022 are still valid and exploitable today, showing why detection without revocation is not enough.
- Use short access-token TTLs so stolen execution credentials age out quickly.
- Rotate refresh tokens after use where the platform supports it.
- Bind tokens to workload identity or device context when possible.
- Revoke the refresh token at the source of compromise, not just the active access token.
- Monitor for unusual refresh frequency, geographic drift, or new client fingerprints.
Best practice is to combine lifecycle control with runtime detection, because a refresh token that remains valid after theft is effectively a standing privilege grant. These controls tend to break down in legacy OAuth deployments that do not support refresh-token rotation or reliable revocation callbacks, because the issuer cannot confidently distinguish legitimate renewal from attacker reuse.
Where the Risk Is Highest and What Teams Miss
Tighter refresh-token controls often increase operational overhead, requiring organisations to balance usability against revocation certainty. That tradeoff becomes especially visible in service-to-service integrations, headless automation, and delegated admin access, where teams often keep long-lived refresh tokens to avoid breaking workflows. Current guidance suggests treating those tokens as high-value secrets, not as harmless session helpers.
Two common failures drive the risk. First, organisations assume that a short-lived access token makes the overall compromise low impact, while the refresh token remains silently reusable. Second, teams duplicate the same token across multiple systems, which expands the blast radius if one copy leaks. NHIMG research on the Ultimate Guide to NHIs shows how overused identities and duplicated secrets create the conditions for persistent compromise. External standards like NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10 both reinforce least privilege and rapid recovery, but there is no universal standard for refresh-token lifetime across vendors.
In practice, the safest posture is to assume a stolen refresh token is an active foothold until proven otherwise, because the attacker only needs one successful exchange to restore access repeatedly.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Refresh tokens are high-value NHI secrets that need rotation and revocation. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access limits what a stolen token can reach. |
| NIST AI RMF | AI systems using delegated credentials need governance for runtime misuse. |
Establish accountability, monitoring, and revocation paths for token-driven automation.
