When any authentication is completed and sucessful against the Boka API, a refresh token is stored securely on the client computer. If secure storage is prohibited, such as in private mode of some browsers, the token will not be stored and the authentication will only last until the browser is closed, or the authentication cookie expires.
This flow is handled by the
autoLogin feature in the init() procedure. This will ensure that the user is always authenticated against the Boka API (even if the access has expired) for as long as the refresh token remains valid.