No products in the cart.
In the context of JSON Web Tokens (JWT), access tokens and refresh tokens are two types of tokens used for authentication and authorization. They are often used together in systems that require user login, ensuring both security and efficiency.
1. Access Token:
An access token is a short-lived token that grants access to specific resources or services. Once the user successfully authenticates, an access token is issued and used to access protected routes or APIs.
- Short-lived: Typically expires after a short period (e.g., 1 hour).
- Bearer Token: It is usually included in HTTP headers to authenticate requests.
Example: Imagine you’re logging into a web app. After successfully logging in, the server gives you an access token (e.g., eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...). When you want to access a protected API, you send this token in the request headers like this:
Authorization: Bearer <access_token>
The server then verifies the token, and if it’s valid, it allows you to access the resource.
2. Refresh Token:
A refresh token is a long-lived token used to obtain a new access token after the old one expires. The refresh token does not grant access to resources directly, but it can be exchanged for a new access token when the current access token expires.
- Long-lived: Usually expires after a longer period (e.g., 30 days).
- Secure storage: Refresh tokens are stored securely on the client side (often in secure HTTP-only cookies).
Example: If your access token expires after an hour, you can’t access protected resources anymore. However, you can send your refresh token (which is still valid) to the server to get a new access token.
Login Flow with JWT Explained:
User Logs In:
- The user logs in with their credentials (username and password).
- The server validates the credentials and generates two tokens:
- Access Token (expires in 1 hour)
- Refresh Token (expires in 30 days)
Access Protected Resource:
- The user sends the access token to the server with every request (via HTTP headers).
- The server validates the access token. If valid, the server grants access to the requested resource.
Access Token Expiry:
- After 1 hour, the access token expires. The user can no longer access the resource.
- However, the refresh token is still valid.
Refresh Access Token:
- The client sends the refresh token to the server (usually in a secure manner).
- The server validates the refresh token, and if valid, it generates and returns a new access token (and possibly a new refresh token).
Access the Resource Again:
- The user now uses the new access token to access protected resources.
Summary of the Flow:
- Access Token: Used to access resources; short-lived (expires quickly).
- Refresh Token: Used to get a new access token when the old one expires; long-lived (expires later).
This system ensures:
- Security: If an attacker obtains an access token, it will be invalid after a short time, reducing the window of vulnerability.
- User Convenience: The user doesn’t need to log in repeatedly since the refresh token can be used to silently get new access tokens without requiring reauthentication.
Example in Practice:
Initial Login:
- User logs in → Server returns:
- Access Token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...(expires in 1 hour) - Refresh Token:
f3b1c8a2c94d...(expires in 30 days)
- Access Token:
- User logs in → Server returns:
Accessing Resources:
- User sends Access Token with each request:
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
- Server validates the Access Token, allows access.
- User sends Access Token with each request:
Token Expiration:
- After 1 hour, the access token expires.
- The user uses the Refresh Token to get a new Access Token:
POST /refresh-token- Request body:
{ "refresh_token": "f3b1c8a2c94d..." } - Server returns a new Access Token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... - User continues accessing resources with the new token.
By using both access and refresh tokens, your system can be secure and scalable while providing a smooth user experience.