Yes, it is possible to implement a refresh token for native apps using the frontend REST APIs. Here's a step-by-step guide based on the information provided in the extracts: 1. When the access token expires, you need to obtain a new token to continue accessing the protected resource. This process is called token refresh. The refresh token is a special token that can be used to obtain a new access token or ID token without the user's involvement. The refresh token is issued to the client during the initial token issuance and can be used to obtain a new token when the current token expires. [source](https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant) 2. Here's an example of how to refresh an access token with Ory:

javascript // Set up the endpoint and refresh token   const endpoint = "<https://oauth2.example.com/token>"   const refreshToken = "<refresh token>"   const clientId = "<client id>"   const clientSecret = "<client secret>"      const params = new URLSearchParams({    grant_type: "refresh_token",    refresh_token: refreshToken,    scope: "scope1 scope2",    client_id: clientId,    client_secret: clientSecret,   })   // Send a POST request to refresh the access token   fetch(endpoint, {    method: "POST",    headers: {    "Content-Type": "application/x-www-form-urlencoded",    },    body: params.toString(),   })    .then((response) => {    if (!response.ok) {    throw new Error("Failed to refresh access token")    }    return response.json()    })    .then((data) => {    console.log("New access token:", data.access_token)    console.log("New ID token:", data.id_token)    console.log("New refresh token:", data.refresh_token)    })    .catch((error) => {    console.error(error)    })

[source](https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant#refreshing-an-access-token) 3. When a client uses a refresh token to obtain a new access token, the authorization server may also issue a new ID token if the original token exchange included an ID token. The new ID token has an updated expiry time but retains the same

auth_time

(time when the user authenticated). The

auth_time

claim in the ID token is used to determine if the user's authentication session is still active. [source](https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant#refreshing-an-access-token) 4. Native applications must use the API flows which don't set any cookies. The response contains all data required to render the UI. On successful login, Ory issues a session token that can be used to authenticate subsequent requests to Ory. [source](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#native-application) Please note that you should use tried and tested open source libraries to consume OAuth2 and OpenID Connect. Writing this code by oneself should not be done, as you would not write your own SHA512 library. [source](https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant)

Based on the information provided in the extracts, the process of obtaining a refresh token in a native app involves initiating a login or registration flow and successfully authenticating the user. However, the specific steps or API endpoints for obtaining a refresh token directly are not explicitly mentioned in the provided extracts. In general, the refresh token is issued to the client during the initial token issuance. When the access token expires, the refresh token can be used to obtain a new access token or ID token without the user's involvement. [source](https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant) For native applications, Ory issues a session token that can be used to authenticate subsequent requests to Ory after successful login. [source](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#native-application) However, for the specific API calls or endpoints to obtain a refresh token directly in a native app, I recommend checking the Ory API documentation or the specific Ory service's documentation that you are using.