AccessToken and RefreshToken
Rishab KumarACCESS TOKEN
These tokens are stored in client side.
These tokens stores public/secret key in server side.
REFRESH TOKEN
These tokens are stored in server side.
These tokens are generally used for extra protection.
SIMILARITIES between ACCESS TOKEN and REFRESH TOKEN.
—> Both are used in authentication & authorization flows.
—> These tokens are typically string based tokens.
—> Both should be transmitted over secure channels.
—> They have lifespans.
—> These can be revoked by authorization server.
—> These can be revoked through token exchange process.
DIFFERENCES between ACCESS TOKEN and REFRESH TOKEN.
(here, dedicating access token as AT and refresh token as RT)
—> AT : Short-lived (minutes to hours).
RT : Long-lived (days to months).
—> AT : Less secure.
RT : Higher security.
—> AT : Used with any API request.
RT : Used when access token expires.
—> AT : Difficult to evoke before expiration.
RT : Easier to evoke.
—> AT : Contains various permissions.
RT : Has only one permission of obtaining new AT.
Subscribe to my newsletter
Read articles from Rishab Kumar directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by