It would be wonderful if the REST API documentation was a little more clear about the use of refresh_token or access_token in authenticated calls to the REST API.  There are a couple of blogs out there that touch on how to hit the API via Postman but the information contained in those is either conflicting or stale.  It would be best if the Trailhead modules better called out how to use tools other than the Workbench, which obfuscate the header creation and therefore don't help developers learn how to use this.  I struggled for a couple of hours yesterday and finally got the API working, only to wake up this morning and receive the INVALID_SESSION_ID error message on attempting the same invocation that succeeded hours before.  My connected app has OAUTH settings enabled that would seem to allow the use of the refresh token but maybe Postman doesn't send that in the header by default.  What recourse do developers have in this case if they haven't purchased premier support?

OAuth policies
Permitted UsersAll users may self-authorizeIP RelaxationRelax IP restrictions
UsageView OAuth UsageRefresh Token Policy:Refresh token is valid until revoked
Single LogoutSingle Logout disabled  
This application has permission to:Perform requests on your behalf at any time  
This application has permission to:Full access  
This application has permission to:Provide access to your data via the Web  
This application has permission to:Access and manage your data