Rabindra' blog

Difference between Access token and Refresh token

Rabindra Kumar Meher's photo
Rabindra Kumar Meher
·

2 min read

Table of contents

Access token vs Refresh token

In the web and mobile application security context, the functions of access tokens and refresh tokens must be recognized. Though both are very significant in authentication and authorization mechanisms.

Access Tokens:

Access tokens are the identity keys one uses to access any particular item within a server. These tokens are usually short lived taking between a few minutes to a few hours to expire and are issued by an authorization server after a user’s identification is verified. Their limited time reduces security threats if the token is hacked. Bearer tokens are commonly used to grant access; thus, they must be managed securely because merely having them provides the user with access to the API resources. They refer to the details of the scope and what is authorized in order to perceive what actions and resources are permitted by the token. When a client wants to reach a particular resource, he attaches the token to the request header, and the server checks then allowing the access.

Refresh Tokens:

While access tokens are used for requesting access to a resource, refresh tokens are used to get a new access token without the user’s authorization. These tokens have a longer life as compared to others, and it can even be days, weeks or even months satisfying more number of sessions from the users. Refresh tokens reside on the client side and are used only to obtain a new access token; therefore, the risk of exposure and their attractiveness to the attacker is reduced. They offer no Point of direct access to resources and Simplex’s sole use of them is for sustaining continued access by replacing an expired access token.

Key Differences:

1. Lifespan: While access tokens are created to be short lived, the refresh token created is meant to be long lived.

2. Purpose: An access token gives you authorization to use the resources right away while a refresh token fetches a new access token.

3. Usage: Access tokens are included in the tokens that are sent to the server; whereas, refresh tokens are used exclusively to help refresh the access tokens.

4. Security: Access tokens for the objectives mentioned above require protection of its transmission and storage while refresh tokens are stored securely on the client side.

5. Content: They include scope and permissions for the access tokens; whereas, refresh tokens contain very little information.

conclusion:

Access tokens and refresh tokens define a secure and efficient process for managing user sessions and accessing various resources in applications.

backendJavaScriptaccess-tokenrefresh-token