coder
diff --git a/‎coderd/database/dbgen/dbgen.go
+6-6 b/‎coderd/database/dbgen/dbgen.go
+6-6
diff --git a/‎coderd/database/dbmem/dbmem.go
+6-6 b/‎coderd/database/dbmem/dbmem.go
+6-6
diff --git a/‎coderd/database/dump.sql
+3-3 b/‎coderd/database/dump.sql
+3-3
diff --git a/‎coderd/database/migrations/000186_oauth2_provider_codes.up.sql
+3-3 b/‎coderd/database/migrations/000186_oauth2_provider_codes.up.sql
+3-3
diff --git a/‎coderd/database/models.go
+7-7 b/‎coderd/database/models.go
+7-7
diff --git a/‎coderd/database/queries.sql.go
+10-10 b/‎coderd/database/queries.sql.go
+10-10
diff --git a/‎coderd/database/queries/oauth2.sql
+1-1 b/‎coderd/database/queries/oauth2.sql
+1-1
@@ -719,12 +719,12 @@ func OAuth2ProviderAppCode(t testing.TB, db database.Store, seed database.OAuth2
 
 func OAuth2ProviderAppToken(t testing.TB, db database.Store, seed database.OAuth2ProviderAppToken) database.OAuth2ProviderAppToken {
 	token, err := db.InsertOAuth2ProviderAppToken(genCtx, database.InsertOAuth2ProviderAppTokenParams{
-		ID:           takeFirst(seed.ID, uuid.New()),
-		CreatedAt:    takeFirst(seed.CreatedAt, dbtime.Now()),
-		ExpiresAt:    takeFirst(seed.CreatedAt, dbtime.Now()),
-		HashedSecret: takeFirstSlice(seed.HashedSecret, []byte("hashed-secret")),
-		AppSecretID:  takeFirst(seed.AppSecretID, uuid.New()),
-		APIKeyID:     takeFirst(seed.APIKeyID, uuid.New().String()),
+		ID:          takeFirst(seed.ID, uuid.New()),
+		CreatedAt:   takeFirst(seed.CreatedAt, dbtime.Now()),
+		ExpiresAt:   takeFirst(seed.CreatedAt, dbtime.Now()),
+		RefreshHash: takeFirstSlice(seed.RefreshHash, []byte("hashed-secret")),
+		AppSecretID: takeFirst(seed.AppSecretID, uuid.New()),
+		APIKeyID:    takeFirst(seed.APIKeyID, uuid.New().String()),
 	})
 	require.NoError(t, err, "insert oauth2 app token")
 	return token
 
@@ -5372,12 +5372,12 @@ func (q *FakeQuerier) InsertOAuth2ProviderAppToken(_ context.Context, arg databa
 		if secret.ID == arg.AppSecretID {
 			//nolint:gosimple // Go wants database.OAuth2ProviderAppToken(arg), but we cannot be sure the structs will remain identical.
 			token := database.OAuth2ProviderAppToken{
-				ID:           arg.ID,
-				CreatedAt:    arg.CreatedAt,
-				ExpiresAt:    arg.ExpiresAt,
-				HashedSecret: arg.HashedSecret,
-				APIKeyID:     arg.APIKeyID,
-				AppSecretID:  arg.AppSecretID,
+				ID:          arg.ID,
+				CreatedAt:   arg.CreatedAt,
+				ExpiresAt:   arg.ExpiresAt,
+				RefreshHash: arg.RefreshHash,
+				APIKeyID:    arg.APIKeyID,
+				AppSecretID: arg.AppSecretID,
 			}
 			q.oauth2ProviderAppTokens = append(q.oauth2ProviderAppTokens, token)
 			return token, nil
 
@@ -15,14 +15,14 @@ CREATE TABLE oauth2_provider_app_tokens (
     id uuid NOT NULL,
     created_at timestamp with time zone NOT NULL,
     expires_at timestamp with time zone NOT NULL,
-    hashed_secret bytea NOT NULL,
+    refresh_hash bytea NOT NULL,
     app_secret_id uuid NOT NULL REFERENCES oauth2_provider_app_secrets (id) ON DELETE CASCADE,
     api_key_id text NOT NULL REFERENCES api_keys (id) ON DELETE CASCADE,
     PRIMARY KEY (id),
-    UNIQUE(app_secret_id, hashed_secret)
+    UNIQUE(app_secret_id, refresh_hash)
 );
 
-COMMENT ON TABLE oauth2_provider_app_tokens IS 'Refresh tokens both provide a way to refresh an access tokens (API keys) and a way to link API keys with the OAuth2 app and secret that generated them.';
+COMMENT ON COLUMN oauth2_provider_app_tokens.refresh_hash IS 'Refresh tokens provide a way to refresh an access token (API key). An expired API key can be refreshed if this token is not yet expired, meaning this expiry can outlive an API key.';
 
 -- When we delete a token, delete the API key associated with it.
 CREATE FUNCTION delete_deleted_oauth2_provider_app_token_api_key() RETURNS trigger
 
@@ -98,7 +98,7 @@ INSERT INTO oauth2_provider_app_tokens (
     id,
     created_at,
     expires_at,
-    hashed_secret,
+    refresh_hash,
     app_secret_id,
     api_key_id
 ) VALUES(