Access vs Refresh Tokens Explained!

MahinMahin
3 min read

Table of contents

If you’ve ever logged into a website and stayed logged in even after closing the tab, you have seen tokens in action. This blog explains what they are*, **why both are needed*, and *how they work together** to protect user sessions without compromising on user experience*.

Authentication vs Authorization

Authentication = Who are you?

  • The process of verifying identity
    example: Logging in with username and password.

Authorization = What are you allowed to do?

  • process of granting permission
    example: can the user perform a certain task like access the admin dashboard.

Alright so now we know the difference between Authentication and Authorization we’ll be able to understand how are the tokens used for authentication, but but just before we jump straight into
the details we must know what these tokens actually are?

JsonWebTokens(JWT)

A JWT (JSON Web Token) is like a digital ID card that your app can use to prove who you are — without needing to check a database every time you make a request. If you are interested to know more about JWT would recommend a video : https://youtu.be/xrj3zzaqODw?si=a-qKg3bsX16Fd5Bn .

What is an Access Token?

  • A short-lived token (ex: 15mins )

  • proves the user is logged in

  • stored in a cookie or memory(client-side)

  • contains user data(in JWT-format)

🎯IRL-Analogy:

Think of access token as a visitor badge at a company.
It gives you access to areas for a limited time. When it expires, security won’t let you in again unless you renew it. i.e by logging in again.

What is a Refresh Token?

  • A long-lived token (ex:15days/weeks)

  • used to request a new access token when the current one expires

kept secretly (via httpOnly and secure)

It’s a good security practice to update (or rotate) the refresh token every time you issue a new access token. This way, even if someone steals an old refresh token, it becomes useless, making your app much safer. ✅

🎯IRL-Analogy:

A refresh Token is like a admin pass stored securely in a phone.
You don’t show it often, but when your visitor badge expires, it helps you get a new one, without logging in again.

So why do we use two tokens instead one?

ProblemSolution
🔓 Access token tohri der ke liye he valid hota hai (security purposes)🔁 Refresh token, baar-baar login karne ki zarurat nahi padne deta
😨 Agar access token chori ho jaye, to nuksaan ho sakta hai✅ quick expiry hone se risk kam ho jaata hai
😩 Har 15 minute baad login karna annoying hota hai✅ Refresh token quietly naya access token de deta hai

TL;DR —

  • Access tokens are fast but short-lived

  • Refresh tokens are secure and long-lived

  • Using both keeps your app secure and user-friendly

  • Always follow best practices to prevent token abuse

I have used the chatgpt layout cause i love it and find it easier to understand along with some emojis :), hope this blog would have helped you a little bit. [ talking to myself ;-) ]

Video References: https://youtu.be/L2_gIrDxCes?si=EJ7b5eeDf2ZqScx5

0
Subscribe to my newsletter

Read articles from Mahin directly inside your inbox. Subscribe to the newsletter, and don't miss out.

JWTtokens jwt JavaScriptbackendbackend developmentsWeb Developmentaccess-tokenrefresh-token

Written by

Mahin
Mahin