Refresh token support for MCP authorization flows
OIDC ID Token and Aembit Access Token Credential Providers now support refresh tokens for MCP Authorization Server flows. This feature applies exclusively to MCP Authorization Server use cases.
What’s new:
- An Enable Refresh Token Support option on OIDC ID Token and Aembit Access Token Credential Providers.
- An Absolute Token Lifetime setting that controls how long refresh tokens remain valid for exchanging for new access tokens after initial issuance.
- Refresh tokens are single-use. Each exchange returns a new refresh token.
When enabled, the MCP Authorization Server returns refresh tokens alongside access tokens during OAuth token requests. MCP clients can exchange a refresh token for a new access token and a new refresh token, maintaining an active session without completing a new authorization flow. Other credential flows, such as Agent Proxy, are not affected by this setting.
To use this feature, edit your Credential Provider, toggle Enable Refresh Token Support to on, and set the Absolute Token Lifetime.
For details, see Token refresh, OIDC ID Token, and Aembit Access Token.