A Refresh Token is an opaque token that contains the information required to obtain a new Access Token. A Refresh Token is long-lived as opposed to an Access Token and ID Token.
A refresh token is an OAuth 2.0 specific token. It is issued as part of the authorization flow. However, it is only issued when the client uses the
authorization_code grant type and if the 'Issue refresh tokens' option is selected in the web client configuration. Please see the web client configuration topic guide for more information about issuing refresh tokens.
Note: Please make sure that Refresh Tokens are stored securely and they are not leaked. Leaking refresh tokens basically means that a user account can be compromised.