Backend Authentication: The Role of Access and Refresh Tokens
I'm Varchasv, a Data Engineer working on enterprise data integration.
Currently on a 90-problem challenge to level up my technical skills and switch to a more development-focused role.
What I'm doing:
- Solving 2 Leetcode problems daily (SQL + DSA).
- Blogging about each problem.
- Building in public.
My Goal - Land a better data engineering role by mid-2026.
Follow my journey !!
OAuth 2.0 is the industry standard for delivering sensitive authorization-related information across the web, typically in the form of a JSON Web Token(JWT).
It uses two tokens—Access Token and Refresh Token. These tokens help securely manage access to protected resources without users needing to keep logging in repeatedly.
Let's now delve deep and understand what and why these tokens are necessary.
Access Token
An access token is generally a JWT, which acts as a key that allows the users to access information from the server without having to repeatedly log in over and over again.
Access Tokens have short lifespans, ranging anywhere from minutes to hours.
How access tokens work?
Authentication: User or app proves identity to the authorization server.
Token Issuance: Authorization server grants an access token with permissions.
Accessing Resources: Client presents an access token to access protected resources.
Validation & Access: Resource server verifies token and grants access if valid.
Refresh Token
Refresh tokens are used to provide new access tokens to the user without having them to login again and again.
They are the same in every regard to the access token and differ only in the lifespan.
They are stored on the authorization server.
How refresh tokens work?
Initial Issue: When a user logs in, the authorization server issues both an access token and a refresh token.
Access Token Usage: The client uses the access token for accessing resources until it expires.
Expiration: When the access token expires, instead of re-authenticating, the client uses the refresh token.
Token Renewal: The client sends the refresh token to the authorization server to obtain a new access token.
Validation: The authorization server validates the refresh token and issues a new access token if it's valid.
TL;DR 😊
For our more fast-paced friends, here is a comparison between the two in a more organized way.
| Aspect | Access Token | Refresh Token |
| Purpose | Grants access to resources for a limited time | Obtains new access tokens without user involvement |
| Validity | Short-lived (minutes to hours) | Longer-lived (days to weeks) |
| Usage | Accesses resources | Requests new access tokens when expired |
| Security | Contains limited information, scoped | Contains sensitive information, should be secured |
| Expiry Handling | Expires after a period | Can be revoked or expire |
| Refreshing | Not refreshable | Used to refresh access tokens |
Conclusion
In summary, access, and refresh tokens are the backbone of secure and hassle-free backend authentication.
Access tokens provide temporary access, while refresh tokens quietly renew it without users needing to log in again.
By leveraging these tokens effectively, we ensure both security and convenience in our authentication systems.
More Resources
Other Blogs