Abhishek Raut
Understanding Access Tokens and Refresh Tokens: Why, How, and When ๐Ÿš€

Understanding Access Tokens and Refresh Tokens: Why, How, and When ๐Ÿš€

Abhishek Raut's photo
Abhishek Raut
ยท

4 min read

Picture this: You walk into your favorite club ๐Ÿ•บ. The bouncer checks your ID (authentication) and gives you a wristband ๐ŸŽซ (access token). But wait โ€” that wristband is only valid for a couple of hours โณ. If you want to stay longer, you head back to the bouncer with a secret pass ๐Ÿ•ต๏ธโ€โ™‚๏ธ (refresh token) to get a new wristband without showing your ID again.

This is basically how access tokens and refresh tokens work in authentication flows. Letโ€™s dive into the details!

What Are Access Tokens? ๐Ÿ”‘

An access token is:

  • A short-lived token (usually lasting minutes to hours โฑ๏ธ).

  • Issued to the client upon successful login.

  • Used to access protected resources (APIs) without re-entering credentials.

Think of it as your temporary pass to access the VIP area (the API).

What Are Refresh Tokens? โ™ป๏ธ

A refresh token is:

  • A long-lived token (lasting days to weeks ๐Ÿ“†).

  • Used to request a new access token when it expires.

  • Kept secure and only shared with the authentication server.

Imagine it as your secret club membership card that lets you extend your stay without trouble.

Why Use Both? ๐Ÿค”

  1. Security First ๐Ÿ›ก๏ธ:

    • Access tokens have shorter lifespans. If compromised, they minimize damage.

    • Refresh tokens, being long-lived, are stored securely (e.g., httpOnly cookies).

  2. User Experience ๐ŸŽฏ:

    • Avoid frequent logins by refreshing access tokens behind the scenes.

    • Keep APIs stateless โ€” servers donโ€™t need to track sessions.

How the Flow Works ๐ŸŒŠ

Hereโ€™s a typical flow for access and refresh tokens:

  1. Login Phase:

    • The user logs in with credentials.

    • The server issues an access token and a refresh token.

  2. Token Usage:

    • The client includes the access token in API requests via headers (Authorization: Bearer <accessToken>).

  3. Access Token Expiry:

    • The access token expires after a short time.

    • The client sends the refresh token to the /refresh endpoint to get a new access token.

  4. Refresh Token Rotation:

    • The server validates the refresh token.

    • A new access token (and sometimes a new refresh token) is issued.

Example Endpoint for Refreshing Tokens ๐Ÿ’ป

Hereโ€™s a snippet that demonstrates how to refresh an expired access token using a refresh token:

refreshAccessToken = asyncHandler(async (req, res) => {
  const incomingRefreshToken = req.body.refreshToken || req.cookies.refreshToken;

  if (!incomingRefreshToken) {
    throw new AppError('Unauthorized request', 403);
  }

  try {
    // Validate the refresh token
    const decoded = jwt.verify(incomingRefreshToken, process.env.REFRESH_TOKEN_SECRET);
    const user = await User.findById(decoded._id);

    if (!user || incomingRefreshToken !== user.refreshToken) {
      throw new AppError('Invalid or expired refresh token', 403);
    }

    // Generate new tokens
    const { accessToken, refreshToken } = await generateAccessAndRefreshTokens(user._id);

    res
      .status(200)
      .cookie('accessToken', accessToken, { secure: true, httpOnly: true })
      .cookie('refreshToken', refreshToken, { secure: true, httpOnly: true })
      .json(new ApiResponse(200, 'Access token refreshed', { accessToken, refreshToken }));
  } catch (error) {
    throw new AppError('Token refresh failed', 403);
  }
});

Best Practices for Token Management ๐Ÿ› ๏ธ

  1. Store Tokens Securely:

    • Use httpOnly and secure cookies for refresh tokens.

    • Avoid storing tokens in localStorage or sessionStorage.

  2. Rotate Refresh Tokens:

    • Issue a new refresh token on every token refresh.

    • Invalidate old refresh tokens to prevent replay attacks.

  3. Set Expirations:

    • Keep access tokens short-lived (minutes to hours).

    • Use longer lifespans for refresh tokens but revoke them on logout.

  4. Validate and Verify:

    • Always verify tokens using the serverโ€™s secret keys.

    • Check token integrity and expiration before issuing new tokens.

Why You Should Love This Flow โค๏ธ

  • Security: Even if an access token is compromised, it expires quickly.

  • Scalability: Stateless APIs make this flow perfect for distributed systems.

  • Convenience: Users stay logged in longer without re-authentication.

A Meme for You! ๐ŸŽ‰

๐Ÿง‘โ€๐Ÿ’ป Developer debugging token expiry issues:
โ€œWhy did my access token die?! Oh, right... itโ€™s supposed to. ๐Ÿ˜…โ€

Wrapping Up ๐ŸŽ

Access and refresh tokens are essential tools in modern authentication systems, balancing security with user convenience. By following best practices and understanding the flow, you can build robust, secure, and scalable applications.

Want to add your own twist? Letโ€™s discuss in the comments! ๐Ÿ’ฌ

Did you find this article valuable?

Support Abhishek Raut by becoming a sponsor. Any amount is appreciated!

access-tokenrefresh-tokenNode.jsExpressMongoDBbackendAPIsauthenticationauthorization
ย