[Yandex Cloud documentation](../../index.md) > [Yandex Identity Hub](../index.md) > [Step-by-step guides](index.md) > Authentication > Enabling refresh tokens

# Enabling the use of refresh tokens in the Yandex Cloud CLI

A [refresh token](../../iam/concepts/authorization/refresh-token.md) is a type of credential that allows an OAuth application to automatically obtain a new IAM token after the user's [IAM token](../../iam/concepts/authorization/iam-token.md) expires.

To allow users to use refresh tokens in the [Yandex Cloud CLI](../../cli/index.md), enable this feature at the Yandex Identity Hub level:

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

  1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization) using an administrator or organization owner account.

      [Switch](manage-organizations.md#switch-to-another-org) to an organization of your choice as required.
  1. In the left-hand panel, select ![shield](../../_assets/console-icons/shield.svg) **Security settings**.
  1. Under **Authentication settings**, check **Enable refresh tokens**.
  1. Optionally, to use enhanced refresh token [security](../../iam/concepts/authorization/refresh-token.md#dpop-verification) using DPoP keys with their obligatory storage on a [YubiKey](https://developers.yubico.com/Passkeys/), enable **Allow DPoP key storage only on YubiKeys**.

      With this option disabled, you can use DPoP keys saved both on a YubiKey and the user's local file system to ensure refresh token security.

{% endlist %}

To use refresh tokens in the Yandex Cloud CLI, each user must [initialize DPoP](../../iam/concepts/authorization/refresh-token.md#enabling-dpop) after you enable this option at the organization level.