> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how the OIDC-conformant pipeline affects your use of refresh tokens.

# Refresh Tokens with OIDC

With the OIDC-conformant pipeline, <Tooltip tip="Refresh Token: Token used to obtain a renewed Access Token without forcing users to log in again." cta="View Glossary" href="/docs/glossary?term=refresh+tokens">refresh tokens</Tooltip>:

* Will no longer be returned when using the [implicit grant](/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post) for authentication.
* Can be used by [confidential applications](/docs/get-started/applications/confidential-and-public-applications).
* Can be used with [Refresh Token Rotation](/docs/secure/tokens/refresh-tokens/refresh-token-rotation) by public applications when using the Authorization Code Flow with PKCE.
* Should use the [`/oauth/token`](https://auth0.com/docs/api/authentication#refresh-token) endpoint to get new tokens because the [`/delegation`](https://auth0.com/docs/api/authentication#delegation) endpoint is deprecated.

In addition, differences exist in the refresh token structure. To learn more, read [Refresh Tokens](/docs/secure/tokens/refresh-tokens).

## Legacy (delegation)

```json lines theme={null}
POST /delegation
Content-Type: 'application/json'
{
  "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
  "client_id": "...",
  "refresh_token": "...",
  "scope": "openid profile"
}
```

## OIDC-conformant (token endpoint)

```http lines theme={null}
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=123&client_id=123&client_secret=123&scope=openid+profile&audience=https%3A%2F%2Fapi.example.com
```

* `audience` and `client_secret` parameters are optional.
* `client_secret` is not needed when requesting a `refresh_token` for a public application.

<Warning>
  Refresh Tokens must be kept confidential in transit and storage, and they should be shared only among the authorization server and the client to whom the refresh tokens were issued.
</Warning>

## Learn more

* [Access Tokens with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-access-tokens)
* [External APIs with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-apis)
* [Authorization Code Flow with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-auth-code-flow)
* [Client Credentials Flow with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-client-credentials-flow)
* [Delegation with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-delegation)
* [Implicit Flow with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-implicit-flow)