OAuth 2.0 access tokens expire quickly but refresh tokens are functionally long-lived. That’s why the CoPhish attack was so dangerous.
The AI agent didn’t just get temporary access; it got persistent access through refresh tokens that let it create access tokens at will.
And although OAuth 2.1 isn’t finalized, it tries to eliminate this “long-lived token” problem with two options for refresh tokens: one-time use only or tied to the sender with a cryptographic binding.
In June 2025, 149 identity professionals from finance, healthcare, government, and tech gathered at Identiverse (the world’s largest digital identity event) to explore what comprehensive agentic AI IAM should look like.
And what they discovered might keep you up at night.
