We currently issue only long-lived access tokens (1 year expiration date). This means after a year has passed, a user will need to re-authorize API apps they are using.

We intend to offer refresh tokens to enable API apps to automatically refresh old access tokens server-side. We've run into a bug with our OAuth2 provider that seems to be preventing refresh tokens from being issued.

Once issue is resolved with our OAuth 2 provider, we'll get refresh_tokens added ASAP and update documentation.

This is now accomplished with id-service. All existing clients have been updated to have the refresh_token grant as well. Only thing remaining is to update documentation.