Difference between access token and refresh token: #code-with-hitesh-choudhary - YT-> @chai-aur-code (hitesh choudhary)
Manoj Singh๐ Access Token
An access token is like a short-term pass that lets a user access protected parts of a website or app. It's sent with each request to prove the user is logged in. It expires quickly for security, so if it's stolen, it won't be useful for long.
| Feature | Description |
| Purpose | Used to access protected resources (APIs, routes, etc.) |
| Lifetime | Short-lived (e.g., 5 minutes to 1 hour) |
| Stored in | Usually stored in memory or localStorage (web) |
| Security risk | Higher if stolen, since it gives direct access to resources |
| Usage | Sent with every API request (usually in the Authorization header as Bearer <token>) |
| Payload | Contains user data (user ID, roles, etc.) and expiry time |
| Validation | Validated by the backend or token verifier (e.g., using JWT) |
๐ Refresh Token
A refresh token is a long-term key that stays with the user to get new access tokens when they expire. It's not sent with every request, only when asking for a new access token. It should be stored securely because it's more powerful.
| Feature | Description |
| Purpose | Used to obtain a new access token when the old one expires |
| Lifetime | Long-lived (e.g., days to weeks) |
| Stored in | More securely stored (e.g., HTTP-only cookies or secure DB) |
| Security risk | High if stolen, as it can generate new access tokens |
| Usage | Sent to a specific endpoint (e.g., /refresh-token) to get a new access token |
| Payload | Usually minimal, just enough to identify the user/session |
| Validation | Backend checks its validity in the database or uses token introspection |
Why Both Are Needed. ?โ
Using both makes the system safer and smoother. The access token gives fast access without checking the database every time, and the refresh token helps keep users logged in without asking them to sign in again and again.
Subscribe to my newsletter
Read articles from Manoj Singh directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by