diff --git a/venafi/provider.go b/venafi/provider.go
index 51262ef..9cad930 100644
--- a/venafi/provider.go
+++ b/venafi/provider.go
@@ -61,6 +61,18 @@ Example for Venafi as a Service: Default`,
 				DefaultFunc: schema.EnvDefaultFunc("VENAFI_TOKEN", nil),
 				Description: `Access token for TPP, user should use this for authentication`,
 			},
+			"refresh_token": &schema.Schema{
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("VENAFI_REFRESH_TOKEN", nil),
+				Description: `Refresh token for TPP, user should use this for authentication`,
+			},
+			"client_id": &schema.Schema{
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("VENAFI_CLIENT_ID", "vcert-sdk"),
+				Description: `Client Id for Refresh token based authentication. Default value: "vcert-sdk"`,
+			},
 			"api_key": &schema.Schema{
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -99,6 +111,8 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{}
 	tppUser := d.Get("tpp_username").(string)
 	tppPassword := d.Get("tpp_password").(string)
 	accessToken := d.Get("access_token").(string)
+	refreshToken := d.Get("refresh_token").(string)
+	clientId := d.Get("client_id").(string)
 	zone := d.Get("zone").(string)
 	tflog.Info(ctx, fmt.Sprintf("====ZONE==== : %s", zone))
 	devMode := d.Get("dev_mode").(bool)
@@ -140,6 +154,18 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{}
 			Zone:       zone,
 			LogVerbose: true,
 		}
+	} else if refreshToken != "" {
+		tflog.Info(ctx, fmt.Sprintf("Using Platform with url %s to issue certificate\n", url))
+		cfg = vcert.Config{
+			ConnectorType: endpoint.ConnectorTypeTPP,
+			BaseUrl:       url,
+			Credentials: &endpoint.Authentication{
+				RefreshToken: refreshToken,
+				ClientId: clientId
+			},
+			Zone:       zone,
+			LogVerbose: true,
+		}	
 	} else if apiKey != "" {
 		if url != "" {
 			tflog.Info(ctx, messageUseVaas)