Refresh tokens
Currently, you can choose for PingOne to issue either JSON Web Tokens (JWTs) or opaque refresh tokens for OIDC-based applications. Learn more in Editing an application.
As part of our ongoing commitment to security, after March 1, 2027, PingOne will issue only opaque refresh tokens, and JWTs will be deprecated. Opaque refresh tokens only include a unique string and don’t require a digital signature, making them more private and faster than JWTs.
By March 1, 2027, you must update existing applications to use opaque refresh tokens to avoid your users being unable to access resources they need. PingOne will return an error for any applications that aren’t updated to use opaque refresh tokens by this date.
The following table shows the timeline for migrating to opaque tokens as the default and deprecating JWTs:
| Refresh token type | Before Jan. 27, 2026 | Between Jan. 27, 2026 and March 1, 2027 | After March 1, 2027 |
|---|---|---|---|
Opaque Token |
Selectable |
Default |
Only option |
JSON Web Token |
Default |
Selectable |
Deprecated |
- For applications created before January 27, 2026:
-
-
If Grant Type is set to Refresh Token, Refresh Token Format defaults to JSON Web Token.
-
You can change Refresh Token Format to Opaque Token.
-
- For applications created between January 27, 2026 and March 1, 2027:
-
-
Refresh Token Format defaults to Opaque Token.
-
You can change Refresh Token Format to JSON Web Token.
-
- After March 1, 2027:
-
-
PingOne will issue only opaque refresh tokens, and JWTs will be deprecated.
-
Refresh Token Format will be removed from the Configuration tab for OIDC-based applications.
-
When PingOne receives a JWT-based refresh token from an application, PingOne will return an error message to the application. For example, if an application or a custom resource sends a request to introspect a JWT-based refresh token, PingOne will return an error to the application.
-