π Access Token vs Refresh Token: A Developer-Friendly Guide


If youβre working with authentication in web or mobile apps, youβve probably come across the terms Access Token and Refresh Token. At first, they might seem confusing, but once you get the hang of them, they become super handy to manage secure and scalable authentication.
In this blog, weβll break it down in simple terms with practical examples, so you can implement them like a pro. π
π§ What Are Access Tokens?
Think of an access token as a temporary key that proves who you are.
π Itβs issued after a successful login and is sent with every API request to prove that the user is authenticated.
It's short-lived (e.g., 15 minutes to 1 hour).
Typically a JWT (JSON Web Token).
Sent in the
Authorization
header:
Authorization: Bearer <access_token>
β Why Use Access Token?
Avoids hitting the database for every request.
Keeps APIs stateless and fast.
Small and easy to verify on the backend.
π§ What Are Refresh Tokens?
A refresh token is a secret that helps you get a new access token without logging in again.
π¦ Itβs issued along with the access token when the user logs in and stored securely (like in an HTTP-only cookie or secure storage).
Long-lived (e.g., 7 days to even 30 days).
NOT sent with every API request.
Used only when the access token expires.
π Flow Example:
User logs in β Server returns
accessToken
(15 mins) andrefreshToken
(7 days)User accesses APIs with
accessToken
accessToken
expires β frontend sendsrefreshToken
to serverServer verifies and issues a new accessToken π
π¦ Where to Store Tokens?
Token Type | Best Practice Location |
Access Token | In memory / HTTP-only cookie |
Refresh Token | HTTP-only cookie (Never localStorage!) |
β οΈ Never store sensitive tokens in localStorage β itβs vulnerable to XSS attacks.
π How Does It Improve Security?
Without refresh tokens, youβd have to make access tokens live longer (bad idea π«).
With refresh tokens, you:
Keep access tokens short-lived (less damage if leaked)
Allow silent re-authentication
Improve user experience (no random logouts)
π‘οΈ Real-World Example (MERN Stack):
When a user logs in:
// Backend response
res.cookie("refreshToken", refreshToken, {
httpOnly: true,
secure: true,
sameSite: "Strict",
});
res.json({ accessToken });
When access token expires:
// Frontend
axios.post("/api/refresh", {}, { withCredentials: true })
.then(res => {
const newAccessToken = res.data.accessToken;
// Update and retry the failed request
});
π When Should You Rotate Refresh Tokens?
Good question!
You should rotate refresh tokens each time a new access token is issued (just like rotating API keys). This reduces the risk of stolen tokens being reused.
β Quick Recap
Feature | Access Token | Refresh Token |
Purpose | Access APIs | Get new access tokens |
Lifetime | Short (15β60 min) | Long (7β30 days) |
Storage | Memory / Cookie | HTTP-only Cookie |
Security Risk | Less if short-lived | High if not protected |
π¬ Final Thoughts
Using access tokens and refresh tokens together is a best practice for secure authentication in modern web apps. If youβre building with React, Node.js, or any frontend-backend combo, implementing this flow will save you a ton of headache β both for user experience and security.
Let me know in the comments if you'd like a full code tutorial on how to implement this in MERN Stack! π¬
Happy Coding! π»
Follow for more developer-friendly auth breakdowns.
Learned from : Chai aur Code (Hitesh Sir β€οΈ)
Subscribe to my newsletter
Read articles from Kaushal Kishor directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
