A good auth system contains access and refresh tokens. I know what access-tokens are for and I know what refresh tokens DO – but I don’t understand their meaning.

For example:
If I authenticate myself successfully to an API, then I get an access token and a refresh token. If a bad guy steals my access code, he can access the API maybe the next 5 minutes or so. But if he steals my refresh token which maybe expires in 6 months he can give himself every time a new access-token and so he can stay longer in the system.

So what are the advantages of refresh tokens – I don’t see them?