πŸ” Access Token vs Refresh Token: A Developer-Friendly Guide

Kaushal KishorKaushal Kishor
3 min read

If you’re working with authentication in web or mobile apps, you’ve probably come across the terms Access Token and Refresh Token. At first, they might seem confusing, but once you get the hang of them, they become super handy to manage secure and scalable authentication.

In this blog, we’ll break it down in simple terms with practical examples, so you can implement them like a pro. πŸš€


🧠 What Are Access Tokens?

Think of an access token as a temporary key that proves who you are.

πŸ”‘ It’s issued after a successful login and is sent with every API request to prove that the user is authenticated.

  • It's short-lived (e.g., 15 minutes to 1 hour).

  • Typically a JWT (JSON Web Token).

  • Sent in the Authorization header:
    Authorization: Bearer <access_token>

βœ… Why Use Access Token?

  • Avoids hitting the database for every request.

  • Keeps APIs stateless and fast.

  • Small and easy to verify on the backend.


πŸ§ƒ What Are Refresh Tokens?

A refresh token is a secret that helps you get a new access token without logging in again.

πŸ“¦ It’s issued along with the access token when the user logs in and stored securely (like in an HTTP-only cookie or secure storage).

  • Long-lived (e.g., 7 days to even 30 days).

  • NOT sent with every API request.

  • Used only when the access token expires.

πŸ” Flow Example:

  1. User logs in β†’ Server returns accessToken (15 mins) and refreshToken (7 days)

  2. User accesses APIs with accessToken

  3. accessToken expires β†’ frontend sends refreshToken to server

  4. Server verifies and issues a new accessToken πŸ”„


πŸ“¦ Where to Store Tokens?

Token TypeBest Practice Location
Access TokenIn memory / HTTP-only cookie
Refresh TokenHTTP-only cookie (Never localStorage!)

⚠️ Never store sensitive tokens in localStorage – it’s vulnerable to XSS attacks.


πŸ” How Does It Improve Security?

Without refresh tokens, you’d have to make access tokens live longer (bad idea 🚫).
With refresh tokens, you:

  • Keep access tokens short-lived (less damage if leaked)

  • Allow silent re-authentication

  • Improve user experience (no random logouts)


πŸ›‘οΈ Real-World Example (MERN Stack):

When a user logs in:

// Backend response
res.cookie("refreshToken", refreshToken, {
  httpOnly: true,
  secure: true,
  sameSite: "Strict",
});
res.json({ accessToken });

When access token expires:

// Frontend
axios.post("/api/refresh", {}, { withCredentials: true })
  .then(res => {
    const newAccessToken = res.data.accessToken;
    // Update and retry the failed request
  });

πŸ”„ When Should You Rotate Refresh Tokens?

Good question!

You should rotate refresh tokens each time a new access token is issued (just like rotating API keys). This reduces the risk of stolen tokens being reused.


βœ… Quick Recap

FeatureAccess TokenRefresh Token
PurposeAccess APIsGet new access tokens
LifetimeShort (15–60 min)Long (7–30 days)
StorageMemory / CookieHTTP-only Cookie
Security RiskLess if short-livedHigh if not protected

πŸ’¬ Final Thoughts

Using access tokens and refresh tokens together is a best practice for secure authentication in modern web apps. If you’re building with React, Node.js, or any frontend-backend combo, implementing this flow will save you a ton of headache β€” both for user experience and security.

Let me know in the comments if you'd like a full code tutorial on how to implement this in MERN Stack! πŸ’¬


Happy Coding! πŸ’»
Follow for more developer-friendly auth breakdowns.

Learned from : Chai aur Code (Hitesh Sir ❀️)

1
Subscribe to my newsletter

Read articles from Kaushal Kishor directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Kaushal Kishor
Kaushal Kishor