Introduction
In the world of web and mobile applications, secure user authentication is crucial. Tokens play a key role in this process, especially Access Tokens and Refresh Tokens. Understanding their differences helps in building secure and efficient systems.
What is Access Token
An access token is a credential that can be provided as a proof of authorization. This is used to access the protected resources on a server. Once the user logins the system, we will generate the accessToken & it will be stored in the system session/cookie. So instead of entering username & password subsequently on every request, they can easily login with the help of access token. Access token typically contains user information and permissions. Access tokens have a short lifespan to minimize security risks if compromised
How the access token works
Basically in the above diagram,
client will be using his credentials to login to the server.
After the authentication is success, the server generates an Access token and sends it to the client.
whenever client makes the new request to the protected resources, includes the access token in the request header (typically as a Bearer token)
The resource server will validates the token sent by the client and if the token is valid, then the server processes the request and returns the response
Refresh Token
Refresh token is a credential which is used to obtain a new access token without requiring the user to log in again. Unlike the access token, refresh tokens have a longer lifespan and are stored securely (client-side/backend)
How the refresh token works
On user login, both access token & refresh token is stored in the cookie, with Http-Only to protect against the XSS(Cross-Site Scripting) attack.
when the access token get expired, then the client will send a request to the authorization server requesting an access token by passing the refresh token.
Auth server will validate the refresh token and provide the new access token to the client.
The client then sends the access token in the request header to the server to receive the protected resource.
Key difference between Access token and Refresh token
| Feature | Access Token | Refresh Token |
| Purpose | Access the protected resources | Obtain new access tokens |
| Lifespan | Short-lived | Long-lived |
| Usage | Frequently used in API calls | Used only when access token expires |
| Storage | Stored on client servers | Stored on authorization server |
Conclusion
Access tokens and refresh tokens are vital for secure authentication systems. Access tokens provide quick, temporary access to resources, while refresh tokens help maintain long-term user sessions without frequent logins. Implementing both correctly enhances the security and user experience.
For further insights and practical implementation details, you can refer the attached video tutorial by Hitesh Choudhary