The latest articles on DEV Community by kundan (@fullstacklabs). https://dev.to/fullstacklabs https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3976249%2Ff66d67a7-70ab-4b4f-8ceb-a9f0f2422893.png https://dev.to/fullstacklabs en kundan Tue, 09 Jun 2026 15:40:16 +0000 https://dev.to/fullstacklabs/access-token-vs-refresh-token-h4f https://dev.to/fullstacklabs/access-token-vs-refresh-token-h4f <h2> Refresh Token:- </h2> <p>A Refresh Token is a long-lived token used to generate new access tokens without login the user again.</p> <p>Refresh tokens must be stored securely (server-side only)</p> <p>Once the Refresh token is expire user must login again (re-authentication need).</p> <p>Access tokens are short-lived token (15 minutes). When they expire, instead of making the user log in again, the app quietly uses the refresh token behind the scenes.</p> <h2> How refresh token works:- </h2> <p>The user login and gets both an access token and a refresh token<br> The app uses the access token to call APIs.<br> After 15 min the access token expires the API returns a 401 Unauthorized error.<br> The app sends the refresh token to the Authorization Server.<br> The Authorization Server returns a fresh access token.<br> The user never notices anything they stay logged in.</p> <h2> Analogy:- </h2> <p>Your office keycard expires every day at midnight. Instead of going back to reception every morning, you have a special master card that automatically issues you a new keycard. The master card much longer, but is stored securely in HR (your server),not to our shirt.</p> <h2> Access Token:- </h2> <p>An Access Token is a short-lived(15 min) token that allows a user to access protected resources.</p> <p>Access Token are stored in the HttpOnly cookies.</p> <p>Used to access APIs and protected routes and send in every request.</p> <p>Access token use the refresh token to get new Access Token.</p> <p>If someone steals an access token, the damage is limited because it expires quickly.</p> <h2> :- Why Do We Need Both? </h2> <p>Why not just use one token?</p> <p>If we use only a long-lived access token:</p> <p>The user stays logged in for a long time.<br> But if the token is stolen, the attacker can use it for a long period.</p> <p>If we use only a short-lived access token:</p> <p>Security improves.</p> <p>But users would have to log in repeatedly.</p> <p>Using both tokens gives us the best of both worlds:</p> <p>Access Token → Better security.<br> Refresh Token → Better user experience.</p> <p>This balance is why modern applications use both</p> <h2> flow:- </h2> <ol> <li>User logs in ↓</li> <li>Backend verifies credentials ↓</li> <li>Backend generates: <ul> <li>Access Token</li> <li>Refresh Token ↓</li> </ul> </li> <li>Backend sends both as HttpOnly cookies ↓</li> <li>Backend stores the refresh token hash in the database</li> </ol> <h2> Later:- </h2> <ol> <li>Access Token expires ↓</li> <li>Browser sends Refresh Token cookie ↓</li> <li>Backend verifies: <ul> <li>Is the refresh token valid?</li> <li>Is it expired?</li> <li>Does its hash match the one in the DB? ↓</li> </ul> </li> <li>If valid: <ul> <li>Generate a new Access Token</li> <li>(Often also generate a new Refresh Token) ↓</li> </ul> </li> <li>Send new token back in HttpOnly cookies</li> </ol> api backend security webdev