Refresh token is a long lived token that usually lasts for days or weeks and is used in situations where an access token expires and you need to generate a new one on behalf of a user. Using Refresh tokens helps to prevent asking user to re-login again. Refresh tokens should be stored either on a client using cookies with SameSite set to lax and https to avoid it being hijacked. You can also store on the backend in some database and map it to a user id or something else.