On 12/02/16 18:10, robinfernandes . wrote: Yes, it works this way. However if you have some DAO on your application side, you don't need to save new offline token every time. You can still use the old offline token for refreshing and it will work. There is no any expiration on offline token itself, there is just expiration on keycloak-server side, which is updated during each token refresh (In other words, as long as you refresh at least once every 30 days, you can use same offline token for a years). The only exception of this is, if you have "Revoke refresh token" switch enabled for your realm. Then each offline token can be used just once, so you need to always use newest offline token. Marek