# Refresh tokens Learn about generating new user access tokens. A refresh token lets your application obtain new user access tokens without requiring the user to re-authorise. Refresh tokens are valid for up to 20 years, enabling long-term access to user accounts. ## Using a refresh token You’ll receive a refresh token in the same response as the [user access token](/guides/developer/auth-and-security/user-access-token). Before the access token expires, use the refresh token to generate a new access token by making a [create an OAuth token request](/api-reference/oauth-token/oauthtokencreate). **Endpoint**: `POST /oauth/token` **Example**: ``` curl -X POST https://api.wise.com/oauth/token \ -u ':' \ -d 'grant_type=refresh_token' \ -d 'refresh_token=' ``` The response returns the [OAuth token response](/api-reference/oauth-token/oauthtokencreate) with a new access token and the previous access token is immediately invalidated. ### Managing refresh tokens - Encrypt refresh tokens at rest as they grant long-term access. - Use centralised storage and avoid multiple services refreshing simultaneously. - Monitor for anomalies as unusual refresh patterns may indicate compromise. - If you suspect a token is compromised, prompt the user to re-authorise. ## Invalid tokens An invalid token returns the error `invalid_grant`. A refresh token can be invalidated before its 20-year expiration for any of the following reasons: - User revokes your application's access - User enables enhanced security on their account - Wise revokes token due to security concerns - Token validity period expires (if configured shorter than the default value) When a refresh token becomes invalid, the user must re-authorise your application. When this occurs, your application should: 1. Detect the `invalid_grant` error. 2. Clear the stored tokens for that user. 3. Prompt the user to re-authorise via the [OAuth flow](/guides/developer/auth-and-security/user-access-token).