Access and Refresh Tokens in the Backend

Adarsh JhaAdarsh Jha
3 min read

Hey there everyone! First of all I'd like to let everyone know that this is my first ever blog on Hashnode so I'd love to recieve the feedback from you people. I will try and share the best of my learnings.

So, have you ever wondered what happens after we sign up on a website. What is the key information that is sent by the backend servers so that we stay logged in and can browse through all the protected routes of the web. Well that is what we are gonna explore here.

What are Access Tokens?

So whenever we sign up on a website, in general, our passwords are not stored in the database as plain strings; instead, we store them in the form of a "Hashed string". These strings are essentially a form of gibberish text generated by applying a hashing algorithm to the original string. There are various algorithms available for generating the hash of a particular string, with SHA-256 being one of the most common.

Now, since we are storing the password in this hashed format, there should be a mechanism that can establish a relationship between the normal password string and its hashed representation. This is where the concept of Access Tokens comes into play.

Authentication and Access Tokens:

When a user logs in to a website, their credentials are verified through a secure authentication process. Once the authentication is successful, the server generates an Access Token and associates it with the user's session. An Access Token is essentially a cryptographic token that serves as a proof of authentication.

Key Characteristics of Access Tokens:

  1. Encoded Information:

    • Access Tokens often contain encoded information about the user and their permissions. This information is typically encoded in a format like JSON Web Token (JWT).
  2. Limited Lifespan:

    • Access Tokens have a limited lifespan, meaning they are valid for a certain duration. This enhances security by minimizing the window of opportunity for misuse.
  3. Authorization Scope:

    • Access Tokens may include information about the user's authorization scope, specifying the actions or resources they are allowed to access.

Use Cases of Access Tokens:

  1. API Authorization:

    • Access Tokens are commonly used in API authentication. Clients present the Access Token to the server to access protected resources.
  2. Single Sign-On (SSO):

    • In Single Sign-On systems, Access Tokens enable users to access multiple services without the need to re-enter credentials.
  3. Securing Web Applications:

    • Access Tokens play a crucial role in securing web applications by ensuring that only authenticated users can access protected resources.

The Role of Refresh Tokens:

Introduction to Refresh Tokens

Access Tokens, being short-lived, can expire. Refresh Tokens step in to get you a new Access Token without forcing you to log in again. I am still learning more about what are the things which we can get hold of through these Refresh Tokens, but for now you can just interpret it as a backup layer of security so that in case your access tokens expires, you can still log in to the website/application through the verification of these refresh tokens. Generally speaking, these tokens have a much longer expiration period compared to the access tokens.

Conclusion:

Access and Refresh Tokens are the superheroes of web security, making sure you're authenticated, authorized, and your online experience remains enjoyable. Though I am a bare beginner to explain more about the refresh tokens still I said whatever I knew. Learning about authentication in web applications is itself a big fun.

Addition resources:
JWT

Access and Refresh Tokens - Hitesh Choudhary

Lastly, a big shoutout to our respected Hitesh Choudhary sir, he's the one from whom I got this inspiration of sharing all this knowledge.

10
Subscribe to my newsletter

Read articles from Adarsh Jha directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Adarsh Jha
Adarsh Jha

I am a budding full stack web developer from India. I am currently in the 2nd year of B.Tech in Computer Science and Engineering from Heritage Institute of Technology, Kolkata.