---
title: Configuring a Refresh Token Token Processor instance
description: PingFederate validates refresh tokens used as subject tokens in OAuth token exchange processor policies.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_configuring_refresh_token_processor_instance
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_configuring_refresh_token_processor_instance.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: June 26, 2026
section_ids:
  before-you-begin: Before you begin
  steps: Steps
  next-steps: Next steps
---

# Configuring a Refresh Token Token Processor instance

PingFederate validates refresh tokens used as subject tokens in OAuth token exchange processor policies.

Use the **Instance Configuration** tab on the **Create Token Processor Instance** page to configure a Refresh Token Token Processor instance.

Use this token processor when a token exchange processor policy must accept a subject token of type `urn:ietf:params:oauth:token-type:refresh_token`.

When processing an incoming refresh token, PingFederate looks up the associated persistent grant and can fulfill stored grant attributes from that grant.

For ID-JAG token exchange that uses an ID token as the subject token, use a JWT Token Processor 2.0 instance instead. Refresh tokens are better suited for long-running ID-JAG flows because they are longer-lived than ID tokens.

Learn more in the [ID-JAG specification](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/).

## Before you begin

Use the **Type** tab on the **Create Token Processor Instance** page to begin configuring a Refresh Token Token Processor instance.

Learn more in [Selecting a token processor type](help_tokenprocessorinstancetasklet_selectadaptertypestate.html).

## Steps

1. In the PingFederate admin console, on the **Create Token Processor Instance** page, click the **Instance Configuration** tab.

2. Review the configuration. This plugin type has no individual configurable fields.

3. Click **Save**.

## Next steps

After you save the instance configuration, click the **Extended Contract** tab to continue configuring the token processor instance.

If you expose grant attributes from the Refresh Token Token Processor, the extended contract attribute name and the grant attribute name must match exactly, including case.

To use the processor in an ID-JAG flow, map it to the subject token type `urn:ietf:params:oauth:token-type:refresh_token` in a token exchange processor policy.