About accessToken and refreshToken and difference between them
Sajju Ahmadπ What is an Access Token?
A small piece of data (usually a JWT) that proves the user is logged in.
It is sent with every request to protected routes (like fetching user profile, updating data, etc.).
The server checks the access token to see if the request is authorized.
Expires quickly (usually 15 mins to 1 hour) for security.
π Think of it like a visitor pass to a building β it gets you in, but expires quickly.
π 1. Access Token
| Feature | Description |
| Purpose | Grants access to protected resources (APIs, routes, data). |
| Short-lived | Usually expires in 15 minutes to 1 hour for security. |
| Stored in | Usually in HTTP-only cookies or memory/localStorage. |
| Used in | Sent with every request to authenticate the user. |
| Payload | Typically includes user info (like userId, email, role) |
| Security Risk | If stolen, attacker can act as the user β that's why it expires quickly. |
π What is a Refresh Token?
A longer-lasting token that stays with the user even after the access token expires.
It is used to get a new access token without making the user log in again.
Stored securely (usually in an HTTP-only cookie or database).
Expires in days or weeks.
π Think of it like a master key stored securely β used to generate new visitor passes.
π 2. Refresh Token
| Feature | Description |
| Purpose | Used to generate a new access token without requiring user to log in again. |
| Long-lived | Usually expires in 7 to 30 days. |
| Stored in | Securely stored in HTTP-only cookies or database. |
| Used in | Sent only once, when access token is expired, to get a new one. |
| Payload | Often only includes userId or minimal info (safer). |
| Security Risk | If leaked, can be used to regenerate tokens β must be stored & handled very securely. |
βAre both accessToken and refreshToken required?
Short answer:
β No, only the
accessTokenis technically required for authentication to work.π But using both is strongly recommended for security and user experience.
β When is only accessToken enough?
You can use just an accessToken if:
You donβt care if the user is forced to log in again every time the token expires.
You keep the token lifetime very short (e.g., 15 minutes).
Example: small internal apps or temporary logins.
But once the token expires, the user must log in again. This is annoying for users.
β When should you use both accessToken and refreshToken?
Use both when:
You want a better user experience (auto-renew tokens behind the scenes).
You want extra security β refresh tokens can be revoked or rotated.
You're building a real-world app (e.g., e-commerce, social media, etc.).
When
accessTokenexpires, therefreshTokenhelps generate a new one without logging in again.
βοΈ Summary
| Scenario | Use only accessToken | Use both accessToken + refreshToken |
| Quick demo or test app | β OK | β Overkill |
| Real-world app (login flow) | β Bad UX | β Best practice |
| API without sessions | β OK | β Optional |
| Persistent sessions (web/mobile) | β | β Required for smooth experience |
π Pro Tip
Access Tokens = Short lifespan = Low risk
Refresh Tokens = Long lifespan = Store securely!
Thatβs it for this post!
Thanks for sticking around. If you have any questions or suggestions, drop a comment β I'd love to hear from you.
See you in the next article!
Subscribe to my newsletter
Read articles from Sajju Ahmad directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by