Difference between access token and refresh token: #code-with-hitesh-choudhary - YT-> @chai-aur-code (hitesh choudhary)

Manoj SinghManoj Singh
2 min read

๐Ÿ” Access Token

An access token is like a short-term pass that lets a user access protected parts of a website or app. It's sent with each request to prove the user is logged in. It expires quickly for security, so if it's stolen, it won't be useful for long.

FeatureDescription
PurposeUsed to access protected resources (APIs, routes, etc.)
LifetimeShort-lived (e.g., 5 minutes to 1 hour)
Stored inUsually stored in memory or localStorage (web)
Security riskHigher if stolen, since it gives direct access to resources
UsageSent with every API request (usually in the Authorization header as Bearer <token>)
PayloadContains user data (user ID, roles, etc.) and expiry time
ValidationValidated by the backend or token verifier (e.g., using JWT)

๐Ÿ” Refresh Token

A refresh token is a long-term key that stays with the user to get new access tokens when they expire. It's not sent with every request, only when asking for a new access token. It should be stored securely because it's more powerful.

FeatureDescription
PurposeUsed to obtain a new access token when the old one expires
LifetimeLong-lived (e.g., days to weeks)
Stored inMore securely stored (e.g., HTTP-only cookies or secure DB)
Security riskHigh if stolen, as it can generate new access tokens
UsageSent to a specific endpoint (e.g., /refresh-token) to get a new access token
PayloadUsually minimal, just enough to identify the user/session
ValidationBackend checks its validity in the database or uses token introspection

Why Both Are Needed. ?โ“

Using both makes the system safer and smoother. The access token gives fast access without checking the database every time, and the refresh token helps keep users logged in without asking them to sign in again and again.

0
Subscribe to my newsletter

Read articles from Manoj Singh directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Manoj Singh
Manoj Singh