Since the access token is short lived, I used the refresh token to get a new access token. A successful token response will include the following (example from microsoft api doc):
`{ "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...", "token_type": "Bearer", "expires_in": 3599, "scope": "user.read%20mail.read", "refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...", }`
I have read the life time of refresh_token is valid until revoked or 90 days of inactivity. Since I'm getting a new refresh token, do I need to replace the old refresh token with this new one? if I do, how to delete the old refresh token?
Thanks!
Like access token Refresh tokens will also expire but are rather long-lived i.e., 90 days maximum time. Once Refresh token expires you need to authenticate to the application again to get a new access token and refresh token.
Also please refer MS Documents.