How Access tokens and Refresh Tokens works
Ravi RanjanAccess tokens and refresh tokens are both authentication parameters used in OAuth 2.0 and OpenID Connect (OIDC)—which are popular protocols and standards for secure authentication. These tokens help identify and authorize users or services when interacting with APIs or servers.
Access Token: An access token is a short-lived credential that is used to authenticate a user or services on a server. It typically has a limited lifespan (e.g., minutes or hours) and is included in API requests to authorize the user to perform actions on the server.
Refresh Token: A refresh token is a long-lived credential used to obtain a new access token once the original one expires. The refresh token is securely stored and can be used by the client to request a new access token without requiring the user to log in again.
How access token and refresh token works?
Now let’s take a scenario where the user logins, and go step by step to understand the whole concept.
Step 1. User login
The user enters the credentials (say, email, password) through the frontend, the frontend sends them to backend.
Step 2. Server verifies and responds with tokens
Once the credentials reach the server, it verifies them and generates the access and refresh tokens. Both tokens are sent to the frontend/client. Again, the access token is short-lived and the refresh token is comparatively long-lived, though both are relative to the cases in which they are being used.
Step 3: Client stores the tokens
The responded tokens (from backend) are now stored at the client side. The access token in memory (RAM) or local storage (less secure), and the refresh token in a secure HTTP-only cookie (best practice).
Step 4. Client accesses a protected resource
Till here, the user is able to access the data. Every time the client wants to access data, the backend checks: is the access token valid? Is it expired? If yes, then well and good. If it is expired, then — step 5.
Step 5. Access token expires
After the access token times out, the access token expires. The user tries to access the API again and gets a 401 Unauthorized error. Now the frontend automatically tries to refresh the token.
Step 6. Backend validates the refresh token
If the refresh token is still valid: The server issues a new access token. The frontend stores this new token and continues the session without logging in again.
And if the refresh token is expired or invalid: The user must log in again.
Here's a tabular comparison between Access Token and Refresh Token:
| Feature | Access Token | Refresh Token |
| Purpose | Used to access protected resources (APIs) | Used to obtain a new access token |
| Lifetime | Short-lived (e.g., 15 minutes) | Long-lived (e.g., 7–30 days) |
| Stored in | Memory, localStorage, or cookie | HttpOnly Secure Cookie (recommended) |
| Sent with | Every API request (Authorization header) | Only sent to refresh endpoint (/refresh) |
| Security Risk | Higher (used frequently) | Lower (used rarely, should be HttpOnly) |
| If expired | Requires refresh token to get new one | User is logged out if this expires |
summary
When a user logs in, the backend sends an access token (short-lived) and a refresh token (long-lived). The frontend uses the access token for API requests and automatically refreshes it using the refresh token when it expires. If the refresh token is also invalid or expired, the user is logged out and redirected to login.
Subscribe to my newsletter
Read articles from Ravi Ranjan directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by