Understanding Refresh Tokens: Secure Your Applications Today

Executive Summary

Refresh tokens are long-lived credentials that can jeopardize application security if not managed properly. The 2025 Salesloft incident revealed how these tokens, left unchecked, can grant unauthorized access to critical systems. Organizations must understand how refresh tokens work and implement robust security measures to mitigate risks stemming from outdated or compromised tokens. Secure usage of refresh tokens is essential in defending against modern SaaS supply chain attacks.

👉 Read the full article from Obsidian Security here for comprehensive insights.

Key Insights

The Salesloft Incident

• In early 2025, Salesloft faced a security breach due to compromised refresh tokens.
• Tokens had been authorized by users who were no longer active, providing access to over 700 organizations.

Understanding Refresh Tokens

• Refresh tokens are essential for maintaining user sessions in applications.
• They operate outside traditional identity lifecycle controls, such as re-authentication and multi-factor authentication (MFA).

Risks Associated with Refresh Tokens

• Long-lived refresh tokens can lead to significant security blind spots in identity management.
• Without proper monitoring, stale tokens can remain active long after a user has left an organization.

Best Practices for Secure Token Management

• Implement strict expiration policies for refresh tokens to minimize security risks.
• Regularly audit and revoke tokens associated with inactive users or projects.
• Integrate adaptive authentication measures to further secure token usage.

👉 Access the full expert analysis and actionable security insights from Obsidian Security here.