Access Tokens and Refresh Tokens

Aditya VermaAditya Verma
3 min read

Introduction :

Tokens are used to authenticate users and authorize requests from clients without keeping the session data on the servers.

Tokens provide a way to avoid storing tokens in a database by encoding all of the necessary information in the token string itself.

The main benefit of this is that API servers are able to verify access tokens without doing a database lookup on every API request, making the API much more easily scalable.

Here in this article we will talk about Access token and Refresh token.

Access Token :

An access token provides temporary access to restricted resources such as APIs or other resources of the website.

Access token is a bearer token. This means that those who have it can access the resources of the website. It is focuses more on accessing the resources rather than identification. Malicious users can compromise a system and steal access token and use it to access the restricted resources. There are many ways to avoid this by following some best practices.

Generally access tokens are short lived having lifespan ranging from a few minutes to a few hours. This ensures that even if the access token is compromised it can be used only for a limited amount of time before it expires.

Refresh Token :

As we have seen that access tokens are short lived hence there is a need to regenerate a new access token to be able to use the restricted resources. This can be achieved by either making the user to again login entering the credentials or by using refresh tokens. Making the client login frequently can destroy the user experience. Hence we use refresh tokens.

Once the access token expires the client can use refresh token to generate ( refreshed ) a new access token. Hence refresh token acts as a credential that lets the client have new access token without making them login again by entering the credentials. The client can generate as many access tokens with the help of refresh token till the refresh token is valid and not expired. The refresh tokens have a longer duration of life when compared to access token.

Refresh token is very important and it gives a lot of power to the client hence a compromise in its security can give its access to malicious users. These users whether being legitimate or not can generate access tokens. To avoid this happening companies use various methods one of them is Refresh Token Rotation.

Refresh Token Rotation :

Refresh token rotation is the process in which whenever a new access token is generated ( refreshed ) a new refresh token is also generated and returned.

To know more about Refresh Token Rotation checkout:

https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-rotation

Defining a method to generate access token and refresh token using mongoose:

userSchema.methods.generateAccessToken = function(){
    const payload = {
        _id: this._id,
        email: this.email,
        username: this.username,
        fullName: this.fullName
    };
    return jwt.sign(payload, process.env.ACCESS_TOKEN_SECRET, {
        expiresIn: process.env.ACCESS_TOKEN_EXPIRY
    });
};

userSchema.methods.generateRefreshToken = function(){
    const payload = {
        _id: this._id
    };

    return jwt.sign(payload, process.env.REFRESH_TOKEN_SECRET, {
        expiresIn: process.env.REFRESH_TOKEN_EXPIRY
    });
};

👋 Hello, I'm Aditya Verma 😁

✌️If you liked this article I'd also suggest you check out Hitesh Choudhary's content on YouTube

🥰Thank You if you liked this article, consider sharing it.

11
Subscribe to my newsletter

Read articles from Aditya Verma directly inside your inbox. Subscribe to the newsletter, and don't miss out.

accesstokenrefresh-token#HiteshChaudhary Web DevelopmentJavaScriptNode.js

Written by

Aditya Verma
Aditya Verma

Hey! I'm Aditya Verma, a tech lover who's always excited about checking out new stuff. I'm all about diving into the latest gadgets and software, and I'm eager to grow within the tech community.