![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 28.000000000000004%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,431 questions
I remember the sample - so your application has an access token, which is sent in the Authorization header of API calls. This is the token that allows the app to access the Microsoft Graph on the user's behalf. However, this token is short-lived. The token expires an hour after it is issued. This is where the refresh token becomes useful. The OAuth specification introduces a refresh token, which allows the app to request a new access token without requiring the user to sign in again.
Also the above sample app is using the msal-node package - so you do not need to implement any token storage or refresh logic. The app uses the default msal-node in-memory token cache, which is sufficient for the sample application. Production applications should provide their own caching plugin to serialize the token cache in a secure, reliable storage medium.