Figure 1: API key is exchanged into an IAM access token, which is then used to call a service.

For specific use cases, applications can also retrieve refresh tokens from IAM. This way, applications can retrieve a new access token when the previous 1 expires. This is important for the IBM Cloud Console or IBM Cloud CLI, for example, because otherwise, the end user would need to log in again after the access token expires (for example, after at least 60 minutes or even earlier). Refresh tokens need to be stored in a safe place—and even then, they eventually time out.

Customer applications in IBM Cloud have 2 ways to create an access token to be able to invoke IBM Cloud services:

1. Use an API key to get an access token (see here for more information):