In .NET framework I've implemented this both ways where you have short lived bearer tokens with a long lived refresh token and also with a longer bearer token expiration(1 hour) and when you get a 401 you ask the user to reauthorize or you have their credentials cached so you just login again.

My implementation is connected .NET apps. I have not done this yet with a web app but I think the question is the same.

​

Do you use refresh tokens?

Are they worth the added complexity?

Other ways to do this I don't know about?