I’m trying to understand how different apps manage user authentication. What I’ve seen is that there is usually a pair of access token and refresh token (which refreshes the access token upon expiration) and the access token is used to ultimately authenticate the user. But what is their expiration period in case of apps that keeps the user logged in, like forever, like Instagram or Facebook. Or do they user some other techniques ? Also, how secure is that ?