Access tokens like Firebase's JWT are designed to be short-lived. An hour is the standard. If an access token is leaked, the attacker has at most an hour before it stops working — small blast radius, predictable cleanup. The cost of that design is that the user would have to sign in again every hour, which would be unbearable.
Refresh tokens fix the user-experience problem without giving up the security one. The refresh token is held by the client, never sent to your backend, and only ever exchanged at the auth provider's endpoint. When the access token expires, the SDK silently swaps the refresh token for a new access token and the user never sees a sign-in screen.
When refresh tokens go wrong, they tend to go wrong silently. The most common shape is a refresh loop that fails — usually because of a clock skew, a revoked token, or a browser storage mode that wipes the refresh token on tab close — and the user is logged out without a clear error in your logs. Diagnosing it requires turning on Firebase's debug logging and watching the network tab for the token exchange.