The client app requests an authorization code from the auth server, exchanges it for an access token, and uses that token to call the resource server. Refresh tokens rotate on every exchange so a leaked token has a short blast radius.