Liladhar Kumar Kushawaha

Understanding Access Tokens and Refresh Tokens in Authentication

Chandan Kumar's photo
Chandan Kumar
·

3 min read

In modern web applications, authentication and security are crucial. Two key components of secure authentication are access tokens and refresh tokens. These tokens help ensure that user sessions remain secure while minimizing the need for repeated logins.

Why Are Access and Refresh Tokens Required?

Traditional session-based authentication relies on storing session data on the server, which can be inefficient and difficult to scale. Token-based authentication, using access and refresh tokens, provides a stateless and scalable solution. Here’s why they are essential:

  • Enhanced Security: Short-lived access tokens reduce the risk of token theft because it expire shortly.

  • Seamless User Experience: Users stay logged in without needing to re-enter credentials frequently.

  • Scalability: Servers don’t need to store session data for every user.

  • Cross-Platform Support: Tokens can be used in web, mobile, and API-based applications.

What are Access Tokens?

An access token is a short-lived credential issued by the server after a user logs in. It is used to authenticate requests to protected resources, such as APIs or web pages.

Characteristics of Access Tokens:

  • Typically expires in minutes (e.g., 15 minutes) for security.

  • Sent in the Authorization header as Bearer <access_token>.

  • If expired, the user must log in again or use a refresh token to obtain a new one.

Example of an Access Token (JWT Format):

{
  "alg": "HS256",
  "typ": "JWT"
}
{
  "userId": "12345",
  "exp": 1712345678
}

What are Refresh Tokens?

A refresh token is a long-lived credential used to generate new access tokens without requiring the user to log in again.

Characteristics of Refresh Tokens:

  • Usually stored securely in httpOnly cookies or local storage.

  • Longer expiration period (e.g., 7 days or more).

  • Used only when the access token expires.

  • Can be revoked if the user logs out or if a security breach occurs.

How Do Access and Refresh Tokens Work Together?

  1. User logs in → The server issues an access token and a refresh token.

  2. User makes API requests using the access token.

  3. Access token expires → The client sends the refresh token to a /refresh-token endpoint.

  4. Server verifies the refresh token and returns a new access token.

  5. If the refresh token is invalid or expired, the user must log in again.

Implementing Access and Refresh Tokens in Node.js

1. Generating Tokens

const jwt = require("jsonwebtoken");

const generateTokens = (user) => {
    const accessToken = jwt.sign({ userId: user.id }, "ACCESS_SECRET", { expiresIn: "15m" });
    const refreshToken = jwt.sign({ userId: user.id }, "REFRESH_SECRET", { expiresIn: "7d" });
    return { accessToken, refreshToken };
};

2. Middleware to Verify Access Token

const verifyAccessToken = (req, res, next) => {
    const token = req.headers.authorization?.split(" ")[1];
    if (!token) return res.status(401).json({ message: "Unauthorized" });

    jwt.verify(token, "ACCESS_SECRET", (err, user) => {
        if (err) return res.status(403).json({ message: "Token expired" });
        req.user = user;
        next();
    });
};

3. Refreshing the Access Token

app.post("/refresh-token", (req, res) => {
    const { refreshToken } = req.body;
    if (!refreshToken) return res.status(403).json({ message: "No refresh token provided" });

    jwt.verify(refreshToken, "REFRESH_SECRET", (err, user) => {
        if (err) return res.status(403).json({ message: "Invalid refresh token" });
        const newAccessToken = jwt.sign({ userId: user.userId }, "ACCESS_SECRET", { expiresIn: "15m" });
        res.json({ accessToken: newAccessToken });
    });
});

Best Practices for Secure Token Management

  • Use HTTP-only cookies for storing refresh tokens instead of local storage to prevent XSS attacks.

  • Set short expiration times for access tokens to reduce risk in case of token leakage.

  • Use HTTPS to encrypt token transmission.

  • Revoke refresh tokens upon user logout or security breach.

  • Implement rate limiting on the refresh endpoint to prevent brute-force attacks.

Conclusion

Access tokens and refresh tokens work together to provide secure and seamless authentication. The access token ensures secure API access, while the refresh token extends user sessions without frequent logins. By implementing proper security measures, developers can enhance authentication security in modern web applications.

JavaScriptbackendReactaccess-tokenrefresh-tokenrefreshtoken