Access Token and Refresh Token

PrashantPrashant
6 min read

Access Token

As the name of this token clearly depicts that this token is for accessing something, or may be it grants the permission to access something—who knows? Well, let's dive in and find out!

So if we jump towards the technical view point, the access token is nothing but a token that makes a user authentic and make him able to access that particular thing. If the user has access token then he/she able to access that thing.

But now the point here is the access token user have is valid or invalid. Suppose you have a lock and key, but the key is not of that lock, this key belongs to else’s lock so the lock won’t open.

So the conclusion here is, if the token is invalid then you can’t access that thing and similarly the token is valid you can access.

Now Lets Talk about the Coder’s Perspective

Lets take an example of login and signup to any website. Suppose you login to the Instagram, then automatically the “ACCESS TOKEN” generates and this token stores in our browser’s cookie(talk about later about cookies in another blog), for now, think of it as a browser storage that saves data in text format. And after the storage of this token in cookies, after sometime of playing with Instagram, you just close the browser(not logging out the Instagram) and after one day, again you open the Instagram website and there you see your Instagram id is still logged in i.e. no need to login again, why ?

  • How Does it work?

Now, here comes the access token which was stored in your browser and token always stored in encryption form, and now when you open the Instagram after one day, the API hits and sends the access token from your browser to the server and the server will verify that the incoming token is valid or not by decrypting it, if the token is valid, no need to login again, you will be redirect to the homepage of the Instagram w/o login.

And for the encryption, the user provides his own Secret Key(a long, randomly generated string containing symbols, letters, and numbers.) and this key is used for both encrypting and decrypting the access token. To enhance security, the secret key should never be hardcoded and must be stored securely (e.g., in environment variables).

  • Token Expiry

But if the token is expired, your token is now invalid and you need to login again, now server does not recognize you, because your identity was that token, server only knows the token not you, if the token is valid your’e welcome, otherwise get lost😂😂.

Now there is a validity of the token also, set by the programmer, may be 30 Days, 1 Day, 1 Hour, etc. After the expiry of the token you’ll we logged out and need a new access token to sign in again.

Access Token is often short lived like 2 days, 7 days, etc.

  • An access token can be generated in two main ways:

  1. Re-Login

    • The user enters their credentials.

    • The server verifies the credentials and issues a new ACCESS TOKEN.

    • It is like renewing your one year or month membership of any video streaming platform.

  2. Through a Refresh Token

    • If the access token expires, the client can use a refresh Token (if provided earlier) to request a new access token without requiring the user to log in again or entering id and password.

    • This approach is commonly used in JWT-based authentication to improve user experience while maintaining security.

    • Conclusion: Access token expires after a set time. Instead of making the user log in again, refresh tokens help generate a new access token without asking for credentials.

Refresh Token

So it’s time to talk about the Refresh Token, as the name suggests it is refreshing something, it means refreshing a token, but Why, How, Which, What. Okay…Okay…Okay, no need to worry, let’s shed some light on this topic and introduce it to you.

Before jumping on “What is refresh token”, let me tell you one thing i.e., you can do your work without using refresh token but it comes with security concern.

  • What is Refresh Token ?

A Refresh Token’s job is simple—it generates a new access token when the old one expires.

Whenever the Access Token completes its life i.e., the given expiry time of the Access Token set by the programmer is now expired and the Access Token is now obsolete and w/o this token, user have to login again by passing the credentials like Id and Password, but if I don’t want to enter the login credentials, now here comes the Refresh Token in picture.

So, after the expiry of the Access Token, the Refresh Token will generate a new Access Token for the user, so that the user don’t have to pass the credentials to login again. And now onward the new Access Token will verify you that your’e the authentic user of this Instagram Id or whatever you’re using until and unless your Access Token is expired.

Now the question is from where this Refresh Token is coming ?

  • So this Refresh Token is stored in the database and the same token is stored in the cookies but both are in encrypted form.

  • After the expiry of the Access Token, the endpoint will hit(by the user) to generate a new Access Token and then Server extracts the Refresh Token from the cookies and decrypts the extracted Refresh Token of the cookies and then matches this token with the Refresh Token stored in the Database, if both matched, Congratulations! You will get a new Access Token, and no need to pass the login id password credentials again.

  • But if Refresh Token(of cookies) doesn’t match with Refresh Token(of Database), better luck next time! 😂😂 Means you’ll not get new Access Token and you need to login again and have to use your credentials(username, password, and etc.).

Expiry of Refresh Token
Refresh Token is often long lived, like 10 days, 20 days, etc.
  • Security Concerns

Storing refresh tokens(of cookies and database) securely is crucial to prevent unauthorized access—hence, encryption is used.

And for the encryption, the user provides his Secret Key(a long, randomly generated string containing symbols, letters, and numbers.) and this key is used for both encrypting and decrypting the refresh token. To enhance security, the secret key should never be hardcoded and must be stored securely (e.g., in environment variables).

Tip: Additionally, best practices include setting an expiration for refresh tokens, rotating them after use, and using HttpOnly & Secure cookies to prevent XSS attacks.

Final Thoughts
Authentication using Access Tokens and Refresh Tokens plays a crucial role in maintaining both security and user experience. Access Tokens provide quick verification but have a limited lifespan, ensuring security by expiring after a set duration. However, instead of forcing users to log in repeatedly, Refresh Tokens allow seamless token renewal without compromising security. To ensure robust security, encryption, proper token storage, rotation mechanisms, and secure cookie practices (HttpOnly & Secure flags) must be implemented. When used correctly, this system strikes a balance between convenience and protection, making authentication efficient and secure.

Contact: meprashanttyagi2000@gmail.com

11
Subscribe to my newsletter

Read articles from Prashant directly inside your inbox. Subscribe to the newsletter, and don't miss out.

access-tokenrefresh-tokenJWT token,JSON Web,Token,Token authentication,Access token,JSON token,JWT security,JWT authentication,Token-based authentication,JWT decoding,JWT implementation #JWTtokens JWTcookiesbackendwebsecurity#cybersecurityWeb Development#APIAuthentication#securitybestpractices #WebAppSecurity encryptionToken Expiry

Written by

Prashant
Prashant