Luhem's Blog

Access Tokens vs. Refresh Tokens

Mehul Raj Minya's photo
Mehul Raj Minya
·

2 min read

Table of contents

Tokens

First of all, let's understand what tokens are. Tokens are small pieces of data that represent information which can be transmitted easily.

In web development, we use these tokens for authentication purposes. They help us identify users and grant them access to resources.

You can think of tokens as a virtual ID for a client (user).

How Tokens works ?

When a user logs in, the server generates a token, often in the form of JSON web tokens (JWT). These tokens contain encoded information such as user ID, token expiration time, and a digital signature to ensure the token has not been tampered. The user includes this token in their requests to the server to prove their identity.

Types of Tokens

Access Tokens

  • These tokens are short-lived tokens used to grant access to resources, such as API endpoints.

  • They are included in every request to the server so that the server can identify whether the client is authorized to access that resource or not.

  • These tokens are stored in client-side HTTP-Only Cookies (cookies that cannot be accessed by client-side scripts, reducing the risk of Cross-Site Scripting (XSS) attacks).

Refresh Tokens

  • These tokens are longer-lived tokens used to generate new access tokens without requiring the user to re-authenticate.

  • When the access token expires, the server uses the refresh token to generate a new access token for the user, allowing them to access server resources without needing to sign in again.

  • These tokens are stored in a database.

Why use both ?

Advantage of using both the tokens :

  • Enhanced security: By limiting the lifespan of access tokens, the impact of a compromised token is reduced. If an access token is stolen, it expires relatively quickly, reducing the window for unauthorized access.

  • Improved user experience: Refresh tokens allow users to obtain new access tokens without re-authenticating every time a token expires, improving user experience and reducing login friction.

Summary

Tokens are a critical component in modern web applications, enabling secure authentication and authorization. By using both access tokens and refresh tokens, you can balance security with user experience, providing seamless and safe access to resources while minimizing security risks.

Reference

https://www.youtube.com/watch?v=L2_gIrDxCes&list=PLu71SKxNbfoBGh_8p_NS-ZAh6v7HhYqHW&index=19
tokensaccess-tokenNode.jsJavaScriptrefresh-token