How Access and Refresh Tokens Work Together to Boost User Experience and Security

Purpose of Access and Refresh Tokens

Access token is a short‑lived credential (commonly 1 hour) that a client presents to call protected APIs. Refresh token is a longer‑lived credential (commonly 1 day) that can be exchanged for a new access token without requiring the user to re‑authenticate.

Interaction Flow

Client submits username and password to the authentication endpoint.

Authentication server validates the credentials and returns an access_token and a refresh_token. The access token is kept in memory or short‑term storage; the refresh token is stored securely, typically in an HttpOnly cookie.

For each API request the client includes the access token, e.g., Authorization: Bearer <access_token>. The resource server validates the token and, if valid, returns the protected resource.

If the resource server responds with HTTP 401 Unauthorized because the access token has expired, the client sends a token‑refresh request to the authentication server, presenting the refresh token.

The authentication server checks the refresh token:

If the refresh token is still valid, it issues a new access token (and optionally a new refresh token). The client replaces the stored access token and retries the original request.

If the refresh token is also expired or revoked, the server returns an error. The client must clear stored tokens and redirect the user to the login page to obtain fresh credentials.

Security Considerations

Because the access token expires quickly, a leaked token limits the window of abuse.

Refresh tokens are usually bound to a client secret or stored in HttpOnly cookies, reducing the impact of a leak.

Never store refresh tokens in insecure client‑side locations such as localStorage to avoid XSS attacks.