RefreshToken vs AccessToken

Saurabh TripathiSaurabh Tripathi
3 min read

Description:

When building secure applications ,especially in the world of APIs ,frontend-backen d communicatin ,we hear a term Access Token and Refresh Token . These are two of the most crucial pieces in the authentication and authorization puzzle .

In this blog we will deep dive what each of these tokens does …

What is Access Token?

an access token is a short lived credential that allows a user to access protected resources. Think like a movie ticket - it gives you access to movie for limited time

Features:
-Short lifespan (5,10min)
-sent with every api request (usually via Authorization header)
-Can be a JWT

What is Refresh Token?

A Refresh token is a long lived credential use to get a new access token when the current one expires. Think like membership card .

Key Features:
- Long lifespan (7,30days)
- Stored securely (in local storage,http-only cookies)
- never sent with regular API calls
- only sent to the /refresh-token endpoint.

Why do we Need Both?
Using both access and refresh tokens provides a balance between security and user experience

Token TypePurposeLifetimeRisk if stolen
Access TokenAccess protected APIsShort (minutes)Small (limited time use)
Refresh TokenGet new access tokensLong (days/weeks)High (can keep refreshing)

Excalidraw image to understand with the BirdView ;

Full Flow: Access & Refresh Token

1. Login/Register

  • Jab user login ya register karta hai:

    • Backend access token banata hai (JWT, expire in 15 min)

    • Backend refresh token banata hai (expire in 7 days or more )

  • Tokens frontend ko HTTP-only cookies me set kar diye jaate hain:

2. Accessing Protected Route

  • Jab user koi secure page visit karta hai:

    • Frontend request bhejta hai (automatically cookies ke sath)

    • Backend access token verify karta hai (jwt.verify)

    • Agar valid hai, data milta hai.

    • Agar access token expired, error milta hai.

3. Access Token Expired — Refresh Flow

  • Jab frontend ko pata chalta hai access token expire ho gaya:

    • Wo ek special route hit karta hai:
      POST /api/v1/auth/refresh-token

    • Ye request me refresh token cookie automatically chali jaati hai

  • Backend:

    • Refresh token verify karta hai

    • Agar valid hai:

      • Naya access token generate karta hai

      • Access token ko cookie me set karta hai

      • Frontend ko batata hai “token refreshed”

    • Agar refresh token invalid ya expire:

      • Logout kara deta hai (clear cookies)

Frontend kya karta hai?

1. Login ke baad:

  • Browser me 2 cookies save hoti hain:

    • accessToken (15 min)

    • refreshToken (7 days)

2. Jab API call fail ho (401):

  • Automatic refresh-token route call karta hai

  • Naya token milta hai → dubara original request karta hai

Thanks for Reading ..
Saurabh Tripathi

10
Subscribe to my newsletter

Read articles from Saurabh Tripathi directly inside your inbox. Subscribe to the newsletter, and don't miss out.

fullstackChaiCodeChaiaurcodeWeb DevelopmentFrontend Developmentbackend

Written by

Saurabh Tripathi
Saurabh Tripathi