What are Access and Refresh tokens?

Access and refresh tokens are key components of OAuth 2.0, which are authentication and authorization protocols. These tokens are used to securely grant access to protected resources without requiring users to repeatedly enter their credentials.

OAuth 2.0 🤔

This protocol uses access tokens to grant temporary access to resources and refresh tokens to obtain new access tokens without user re-authentication, as the access token expires.

Access token

An access token is a digital asset, typically a JWT, giving seamless access to resources through OAuth. These tokens act as keys that allow users to access sensitive, restricted information or data without repeatedly making login requests.

How OAuth 2.0 works

Users want to access restricted resources.
Client requests authorization from the user.
User inputs credentials.
Clients transfer those credentials to the authorization server.
From there server gives an Access token.
These tokens are then transferred to the resources server.
The resource server uses these tokens as a key and gives access to the user.
At this step user can access an application or restricted resources using this token without entering credentials again and again.

Then why Refresh token?

Access tokens usually have very short lifespans. In many cases, they last only a few hours.
So, as the session expires after that specific time, the session is deleted, and each time the user has to make an authorization request again.

Refresh token

Refresh tokens extend the lifespan of an access token. At first time they are issued alongside an access token and kept safe on the authorization server, having a much longer lifespan - many days or even months. When the access token of a user expires, then by using the refresh token, new access tokens are reissued to the user enabling extended authentication sessions.

Access token vs Refresh token