Refresh token
The longer-lived token used to obtain new session tokens without re-authenticating.
A refresh token is a credential that, when presented, returns a fresh short-lived session token. It's the mechanism that keeps users logged in without re-prompting for their password every 15 minutes.
Robnu stores the refresh token in the token vault. When a session token expires, the refresh token is used to mint a new one. The refresh token itself rotates on use — every refresh issues a new pair, and the old refresh token is invalidated.
Rotation matters. If a refresh token leaks (rare, given the vault), the attacker has at most the window between the leak and the next rotation. Robnu rotates on every use AND on suspicion (unusual IP, unusual access pattern).