According to the specification, refresh_token is optional. A client requiring it is non conforming. Extra fields are indirectly allowed "typically along with some additional properties about the authorization." So having both "token" and "access_token" is fine according to the standard but I assume Hyrum's law applies as well.
... View more
Visma Denmark
Visma Finland
Visma Latvia
Visma Netherlands
Visma Norway
Visma Sweden
Visma Developers & Partners
Visma Latin America