Why Shopify Authentication does provide the "refresh_token"?

I am curious to know what is the authentication flow of Shopify API, is OAuth2?

I have seen a page at https://shopify.dev/apps/auth/oauth and it told that “Shopify uses OAuth 2.0’s authorization code grant flow to issue access tokens on behalf of users”.

I created a Public app, then create a shop website for testing.

My app authenticate with [Shop-url]/admin/oauth/access_token given client id, client secret of my app, I got the access token response below

{
    "access_token": "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",
    "scope": "read_orders",
    "expires_in": 86380,
    ...
}

However, the access token response does not provide the “refresh_token”. I found only the solution to get the refresh token on the partner dashboard (https://shopify.dev/apps/auth/oauth/rotate-revoke-api-credentials#step-4-generate-new-refresh-token)

My question are listed below

1. Why Shopify Authentication does provide the “refresh_token”? If user install a public app, it already asked for the permission. Should I pass any value to the scope parameter to request the permission to get the refresh token?

2. Do you have an API to generate new refresh token instead of generating on the partner dashboard?

3. Can we set the timeout of the refresh token to more than 1 hour?

4. Is possible the public app is able to call API without manual create the refresh token on the partner dashboard?

Hi, did you response to this issue. I am getting the same problem and want to renew access_token without going into the partners dashboard. I want to refresh tokens using API only.

Thanks in advance