The x-ms-RefreshTokenCredential HTTP header is optional and can be specified by the client role of the OAuth 2.0 Protocol Extensions for Broker Clients. This header is used to pass a previously obtained primary refresh token to the authorization endpoint of the AD FS server. The primary refresh token can be used by the server to authenticate the user and the device on which the client runs when processing the authorization request.

The value of the x-ms-RefreshTokenCredential HTTP header MUST be a signed JWT. The signed JWT format is defined in [RFC7519]. The format for the x-ms-RefreshTokenCredential header is as follows.

 String = *(%x20-7E)
 x-ms-RefreshTokenCredential = String