Difference between access token and refresh token
Amardeep Sharma
Access token
This is a token generated on server and is not stored in the database and send to the client so client can communicate with the server using that token.
Refresh token
This is a token generated by server and is stored on the database. This token is sent with Access token to the client and this token is used by client only when access token is expired and client need new access token.
[Note: These both Access token and Refresh token is sent to the client for the first time when client log in.]
Key differences
Client use
Access Token | Refresh Token |
It is used by the clients to access the protected route. | It is used by the client to refresh the expired access token (i.e. get a new access token). |
Sever use
Access Token | Refresh Token |
Server use this token to give access to private routes to the client like uploading video or liking the post. | Server use refresh token to refresh Access Token whether it is expired or not. |
Understand with practical application
When you login into the YouTube, YouTube sends you a two tokens Access token and Refresh token. so now access token is set to expire in 1 days and Refresh token is set to expire in 30 days. Now first day you watched videos with out being asked for username/email and password again again for each time when you click on each videos because YouTube needs to verify who is asking for the video so they will recognize it by the token they have provided you and for the each video request front end YouTube is sending access token now the next day your access token is expired so for this front end YouTube will send request to another route which will check your refresh token instead of access token because it is expired and YouTube server will match the refresh token you provided with the token YouTube have stored in the database and if its matched then it will send you next access token without being asking for password with the client. After 30 days the refresh token get expired then at that time client need a sign in credentials to get the refresh and access token again.
Subscribe to my newsletter
Read articles from Amardeep Sharma directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by