Access and Refresh Tokens Explained

Access and refresh tokens are basically jwts. Now what are jwts?

Jwt means json web token its a token based format for storing important/essential data like a user’s username, email or id.

So now what's the purpose of these two tokens and why use two tokens why not one?

So access token is used for authentication meaning for verification of a user.Access tokens are usually short lived meaning they expire quickly so that our data remains secure. As we know that http is stateless meaning the server doesn't store our data or any info that comes in the request unless we by ourselves set session or refreshtoken in the database.

Refresh token is used for refreshing our access token, they are usually long lived.

Now why do we use two tokens?

Mainly because the access token is only stored on the client side and used for authentication if we were to save the access token on the server side too and only used one token then the chances of that token being stolen would be quite high. So for that reason we store the refresh token on server side and client side both so that when our access token expires we can verify our refresh token from the server and the server then gives us new access token.

Hope that explains what Access and Refresh tokens are and their usage.