DEV Community: Khaled Saeed The latest articles on DEV Community by Khaled Saeed (@khaledsaeed18). https://dev.to/khaledsaeed18 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3318749%2F4b825580-54c0-43f4-933a-71ae06de53c7.png DEV Community: Khaled Saeed https://dev.to/khaledsaeed18 en Access and Refresh Tokens in Token-Based Authentication Khaled Saeed Sat, 02 Aug 2025 22:09:39 +0000 https://dev.to/khaledsaeed18/access-and-refresh-tokens-in-token-based-authentication-2a9o https://dev.to/khaledsaeed18/access-and-refresh-tokens-in-token-based-authentication-2a9o <p>πŸ”‘ Token-based authentication has become the <strong>standard</strong> for modern web applications and APIs. If you've ever wondered why we need both access tokens and refresh tokens, or how they work together to create secure, scalable authentication systems, this article will break it down for you.</p> <h2> πŸš€ Introduction </h2> <h3> πŸ” What is Token-Based Authentication? </h3> <p>Token-based authentication is a <strong>stateless approach</strong> to user authentication where the server generates a cryptographically signed token after successful login. This token contains encoded user information and is sent with every subsequent request to prove the user's identity.</p> <h3> βš–οΈ Traditional Session vs. Token-Based Authentication </h3> <p><strong>Traditional session-based authentication</strong> relies on server-side storage:</p> <ul> <li>πŸ‘€ User logs in β†’ πŸ–₯️ Server creates a session β†’ πŸͺ Session ID stored in cookie</li> <li>πŸ“¨ Each request includes the session ID β†’ πŸ” Server looks up session data</li> <li>πŸ’Ύ Requires server memory/database to maintain session state</li> </ul> <p><strong>Token-based authentication</strong>, however, is stateless:</p> <ul> <li>πŸ‘€ User logs in β†’ πŸ–₯️ Server generates a signed token β†’ πŸ“± Token sent to client</li> <li>πŸ“¨ Each request includes the token β†’ βœ… Server verifies token signature</li> <li>🚫 No server-side storage needed for authentication state</li> </ul> <h3> ⚑ The Power of Stateless Authentication </h3> <p>Stateless authentication offers several advantages:</p> <ul> <li> <strong>πŸ”„ Scalability</strong>: No need to sync session data across multiple servers</li> <li> <strong>πŸ”§ Microservices-friendly</strong>: Tokens can be verified independently by any service</li> <li> <strong>πŸ“± Mobile-friendly</strong>: Perfect for mobile apps and single-page applications</li> <li> <strong>πŸ”— Decoupled architecture</strong>: Frontend and backend can be completely separate</li> </ul> <h2> 🎭 Access Tokens vs. Refresh Tokens </h2> <p>Understanding the distinction between these two types of tokens is crucial for implementing secure authentication.</p> <h3> 🎫 Access Tokens </h3> <p><strong>Access tokens</strong> are short-lived credentials that grant access to protected resources. Think of them as <strong>temporary passes</strong> that prove you're authorized to perform specific actions.</p> <p><strong>Key characteristics:</strong></p> <ul> <li>⏰ <strong>Lifetime</strong>: Typically 15 minutes to 1 hour</li> <li>πŸ’Ύ <strong>Storage</strong>: Can be stored in memory, localStorage, or sessionStorage</li> <li>⚠️ <strong>Security risk</strong>: Lower (due to short lifespan)</li> <li>πŸ”„ <strong>Usage</strong>: Sent with every API request in the Authorization header</li> </ul> <h3> πŸ—οΈ Refresh Tokens </h3> <p><strong>Refresh tokens</strong> are long-lived credentials used exclusively to obtain new access tokens. They're like <strong>master keys</strong> that can generate new temporary passes.</p> <p><strong>Key characteristics:</strong></p> <ul> <li>⏳ <strong>Lifetime</strong>: Days, weeks, or months</li> <li>πŸ”’ <strong>Storage</strong>: Should be stored securely (preferably HttpOnly cookies)</li> <li>🚨 <strong>Security risk</strong>: Higher (due to long lifespan)</li> <li>🎯 <strong>Usage</strong>: Only sent to the authentication endpoint to get new access tokens</li> </ul> <h3> Token Flow Diagram </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpkle45fgwsnslo938h0v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpkle45fgwsnslo938h0v.png" alt="Token Flow Diagram" width="800" height="602"></a></p> <h2> πŸ€” Why Do We Use Both? </h2> <p>The dual-token approach elegantly solves the <strong>security vs. usability dilemma</strong> that plagues authentication systems.</p> <h3> 🚫 The Problem with Single Token Approaches </h3> <p><strong>Long-lived access tokens</strong> create security risks:</p> <ul> <li>πŸ’₯ If compromised, attackers have extended access</li> <li>πŸ”’ Difficult to revoke without complex blacklisting</li> <li>πŸ“Š Higher chance of tokens being exposed in logs, URLs, or client-side storage</li> </ul> <p><strong>Short-lived tokens alone</strong> hurt user experience:</p> <ul> <li>πŸ”„ Frequent re-authentication required</li> <li>😀 Poor user experience with constant login prompts</li> <li>πŸ“ˆ Increased load on authentication servers</li> </ul> <h3> βš–οΈ The Dual-Token Solution </h3> <p>By using both token types, we achieve:</p> <p><strong>πŸ›‘οΈ Security Benefits:</strong></p> <ul> <li>⏱️ Limited exposure window (short-lived access tokens)</li> <li>🚫 Ability to quickly revoke access (by invalidating refresh tokens)</li> <li>πŸ›‘οΈ Reduced risk if access tokens are compromised</li> </ul> <p><strong>😊 Usability Benefits:</strong></p> <ul> <li>✨ Seamless user experience (automatic token refresh)</li> <li>🚫 No frequent login prompts</li> <li>πŸ“± Offline capability (cached refresh tokens)</li> </ul> <p><strong>⚑ Performance Benefits:</strong></p> <ul> <li>πŸ“‰ Reduced authentication server load</li> <li>πŸš€ Faster API responses (no session lookups)</li> <li>πŸ’Ύ Better caching strategies</li> </ul> <h3> ⚠️ Why Storing Long-lived Access Tokens is Dangerous </h3> <p>Long-lived access tokens in client storage create multiple attack vectors:</p> <ul> <li>πŸ•·οΈ <strong>XSS attacks</strong> can steal tokens from localStorage</li> <li>🦠 <strong>Malware</strong> can access stored tokens</li> <li>πŸ•΅οΈ <strong>Network interception</strong> gives attackers long-term access</li> <li>πŸ“‹ <strong>Token leakage</strong> through logs or error messages</li> </ul> <p><strong>Refresh tokens help by:</strong></p> <ul> <li>🎯 Limiting the blast radius of compromised access tokens</li> <li>πŸŽ›οΈ Providing centralized revocation control</li> <li>πŸ” Enabling detection of suspicious refresh patterns</li> </ul> <p><strong>πŸ”„ Security Risk Timeline</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftl9y6ogo6w5cv4epekjg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftl9y6ogo6w5cv4epekjg.png" alt="Security Risk Timeline" width="800" height="330"></a></p> <h2> πŸ” Security Tips for Using Refresh Tokens </h2> <p>Implementing refresh tokens securely requires careful consideration of storage, rotation, and monitoring strategies.</p> <p><strong>πŸ—οΈ Token Security Architecture</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsr917iii68g00nahx59i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsr917iii68g00nahx59i.png" alt="Token Security Architecture" width="800" height="1965"></a></p> <h3> 1. 🏦 Secure Storage Strategies </h3> <p><strong>πŸ–₯️ Server-side storage (Recommended):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Store refresh token in HttpOnly, Secure cookie</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="nx">refreshToken</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">generateTokens</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">'</span><span class="s1">refreshToken</span><span class="dl">'</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Prevents XSS access</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// HTTPS only</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">'</span><span class="s1">strict</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// CSRF protection</span> <span class="na">maxAge</span><span class="p">:</span> <span class="mi">7</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span> <span class="c1">// 7 days</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">accessToken</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p><strong>βœ… Why HttpOnly cookies are preferred:</strong></p> <ul> <li>πŸ›‘οΈ Immune to XSS attacks</li> <li>πŸ”„ Automatically sent with requests</li> <li>πŸ”§ Can be configured with security flags</li> </ul> <h3> 2. πŸ”„ Implement Token Rotation </h3> <p>Always issue <strong>new refresh tokens</strong> when they're used:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/refresh</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">refreshToken</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">isValidRefreshToken</span><span class="p">(</span><span class="nx">refreshToken</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid refresh token</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Invalidate old refresh token</span> <span class="nf">revokeRefreshToken</span><span class="p">(</span><span class="nx">refreshToken</span><span class="p">);</span> <span class="c1">// Generate new tokens</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="na">refreshToken</span><span class="p">:</span> <span class="nx">newRefreshToken</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">generateTokens</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="c1">// Store new refresh token</span> <span class="nx">res</span><span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">'</span><span class="s1">refreshToken</span><span class="dl">'</span><span class="p">,</span> <span class="nx">newRefreshToken</span><span class="p">,</span> <span class="nx">cookieOptions</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">accessToken</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h3> 3. ⏰ Set Proper Expiration and Revocation </h3> <p><strong>πŸ“Š Implement sliding expiration:</strong></p> <ul> <li>⏳ Refresh tokens expire after inactivity</li> <li>πŸ‘₯ Active users get extended sessions</li> <li>πŸ—‘οΈ Inactive tokens automatically expire</li> </ul> <p><strong>πŸšͺ Provide revocation endpoints:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/logout</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">refreshToken</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">;</span> <span class="c1">// Revoke the refresh token</span> <span class="nf">revokeRefreshToken</span><span class="p">(</span><span class="nx">refreshToken</span><span class="p">);</span> <span class="c1">// Clear the cookie</span> <span class="nx">res</span><span class="p">.</span><span class="nf">clearCookie</span><span class="p">(</span><span class="dl">'</span><span class="s1">refreshToken</span><span class="dl">'</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Logged out successfully</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Revoke all user sessions</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/logout-all</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">revokeAllUserRefreshTokens</span><span class="p">(</span><span class="nx">userId</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Logged out from all devices</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h3> 4. πŸ•΅οΈ Monitor for Suspicious Activity </h3> <p>Implement detection for <strong>unusual patterns</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">detectAnomalies</span> <span class="o">=</span> <span class="p">(</span><span class="nx">userId</span><span class="p">,</span> <span class="nx">metadata</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">ipAddress</span><span class="p">,</span> <span class="nx">userAgent</span><span class="p">,</span> <span class="nx">location</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">metadata</span><span class="p">;</span> <span class="c1">// Check for suspicious patterns</span> <span class="kd">const</span> <span class="nx">recentActivity</span> <span class="o">=</span> <span class="nf">getUserRecentActivity</span><span class="p">(</span><span class="nx">userId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nf">isDifferentLocation</span><span class="p">(</span><span class="nx">recentActivity</span><span class="p">.</span><span class="nx">location</span><span class="p">,</span> <span class="nx">location</span><span class="p">)</span> <span class="o">||</span> <span class="nf">isDifferentDevice</span><span class="p">(</span><span class="nx">recentActivity</span><span class="p">.</span><span class="nx">userAgent</span><span class="p">,</span> <span class="nx">userAgent</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// Trigger security measures</span> <span class="nf">sendSecurityAlert</span><span class="p">(</span><span class="nx">userId</span><span class="p">);</span> <span class="nf">requireReAuthentication</span><span class="p">(</span><span class="nx">userId</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h3> 5. πŸ”‘ Protect Your Token Secrets </h3> <p><strong>πŸ›‘οΈ Key management best practices:</strong></p> <ul> <li>πŸ’ͺ Use strong, randomly generated signing keys</li> <li>πŸ”„ Rotate keys regularly</li> <li>🏦 Store keys in secure key management systems (AWS KMS, HashiCorp Vault)</li> <li>🚫 Never commit keys to version control</li> <li>πŸ”§ Use different keys for different environments </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Use environment-specific keys</span> <span class="kd">const</span> <span class="nx">JWT_SECRET</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">REFRESH_SECRET</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REFRESH_SECRET</span><span class="p">;</span> <span class="c1">// Implement key rotation</span> <span class="kd">const</span> <span class="nx">getCurrentSigningKey</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">keyVersion</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">KEY_VERSION</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">v1</span><span class="dl">'</span><span class="p">;</span> <span class="k">return</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s2">`JWT_SECRET_</span><span class="p">${</span><span class="nx">keyVersion</span><span class="p">}</span><span class="s2">`</span><span class="p">];</span> <span class="p">};</span> </code></pre> </div> <h2> πŸš€ Advanced Notes </h2> <h3> πŸ” OAuth 2.0 Best Practices </h3> <p>When implementing OAuth 2.0, follow these guidelines:</p> <ul> <li>πŸ–₯️ <strong>Use the Authorization Code flow</strong> for server-side applications</li> <li>πŸ“± <strong>Implement PKCE</strong> (Proof Key for Code Exchange) for public clients</li> <li>βœ… <strong>Validate redirect URIs</strong> strictly</li> <li>πŸ›‘οΈ <strong>Use state parameters</strong> to prevent CSRF attacks</li> </ul> <h3> 🎯 JWT vs. Opaque Tokens </h3> <p><strong>🎫 JWT (JSON Web Tokens):</strong></p> <ul> <li>πŸ“¦ Self-contained and stateless</li> <li>⚑ Can be verified without database lookup</li> <li>πŸ“ Larger payload size</li> <li>⏰ Difficult to revoke immediately</li> </ul> <p><strong>πŸ”’ Opaque Tokens:</strong></p> <ul> <li>🎲 Random string references</li> <li>πŸ” Require database lookup for validation</li> <li>πŸ“¦ Smaller payload size</li> <li>🚫 Easy to revoke immediately</li> </ul> <p>Choose based on your specific requirements for <strong>scalability vs. control</strong>.</p> <h3> πŸ“± PKCE and Single Page Applications </h3> <p>For SPAs and mobile apps, implement <strong>PKCE</strong> to enhance security:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Generate code verifier and challenge</span> <span class="kd">const</span> <span class="nx">codeVerifier</span> <span class="o">=</span> <span class="nf">generateRandomString</span><span class="p">(</span><span class="mi">43</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">codeChallenge</span> <span class="o">=</span> <span class="nf">base64URLEncode</span><span class="p">(</span><span class="nf">sha256</span><span class="p">(</span><span class="nx">codeVerifier</span><span class="p">));</span> <span class="c1">// Authorization request</span> <span class="kd">const</span> <span class="nx">authUrl</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">authEndpoint</span><span class="p">}</span><span class="s2">?`</span> <span class="o">+</span> <span class="s2">`client_id=</span><span class="p">${</span><span class="nx">clientId</span><span class="p">}</span><span class="s2">&amp;`</span> <span class="o">+</span> <span class="s2">`redirect_uri=</span><span class="p">${</span><span class="nx">redirectUri</span><span class="p">}</span><span class="s2">&amp;`</span> <span class="o">+</span> <span class="s2">`response_type=code&amp;`</span> <span class="o">+</span> <span class="s2">`code_challenge=</span><span class="p">${</span><span class="nx">codeChallenge</span><span class="p">}</span><span class="s2">&amp;`</span> <span class="o">+</span> <span class="s2">`code_challenge_method=S256`</span><span class="p">;</span> </code></pre> </div> <p><strong>🌐 OAuth 2.0 Flow with PKCE</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg6dpm7fm71a36dl5rsxv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg6dpm7fm71a36dl5rsxv.png" alt="OAuth 2.0 Flow with PKCE" width="800" height="632"></a></p> <p><strong>πŸ”„ JWT vs Opaque Token Decision Tree</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fud7pap3lxybp9mpenvge.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fud7pap3lxybp9mpenvge.png" alt="JWT vs Opaque Token Decision Tree" width="800" height="1165"></a></p> <h3> πŸ“š Further Reading </h3> <p>To deepen your understanding, explore these resources:</p> <ul> <li>πŸ“– <a href="https://tools.ietf.org/html/rfc6749" rel="noopener noreferrer">OAuth 2.0 RFC 6749</a> - The official OAuth 2.0 specification</li> <li>πŸ›‘οΈ <a href="https://tools.ietf.org/html/draft-ietf-oauth-security-topics" rel="noopener noreferrer">OAuth 2.0 Security Best Practices</a> - Latest security recommendations</li> <li>πŸ” <a href="https://auth0.com/docs" rel="noopener noreferrer">Auth0 Documentation</a> - Comprehensive authentication guides</li> <li>🎫 <a href="https://jwt.io/" rel="noopener noreferrer">JWT.io</a> - JWT debugger and library information</li> <li>πŸ”’ <a href="https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html" rel="noopener noreferrer">OWASP Authentication Cheat Sheet</a> - Security-focused authentication guidance</li> </ul> <h2> 🎯 Conclusion </h2> <p>Understanding access and refresh tokens is <strong>fundamental</strong> to building secure, scalable authentication systems. The key takeaways are:</p> <ul> <li>🎫 <strong>Access tokens</strong> should be short-lived and used for API requests</li> <li>πŸ—οΈ <strong>Refresh tokens</strong> should be long-lived, securely stored, and used only for obtaining new access tokens</li> <li>βš–οΈ The dual-token approach balances <strong>security, usability, and performance</strong> </li> <li>πŸ”§ Proper implementation requires secure storage, token rotation, monitoring, and key management</li> <li>πŸ“ˆ Always follow current security best practices and consider your specific use case requirements</li> </ul> <p>Remember that <strong>security is not a one-time implementation</strong> but an ongoing process. Stay updated with the latest security recommendations, monitor your authentication systems, and always prioritize user data protection.</p> <p>πŸ’¬ <strong>What's your experience with token-based authentication?</strong> Have you encountered specific challenges or implemented interesting solutions? Share your thoughts in the comments below – I'd love to hear about your real-world experiences and lessons learned! πŸš€</p> webdev security authentication jwt CSR vs SSR in Next.js Khaled Saeed Fri, 18 Jul 2025 10:02:40 +0000 https://dev.to/khaledsaeed18/csr-vs-ssr-in-nextjs-34o8 https://dev.to/khaledsaeed18/csr-vs-ssr-in-nextjs-34o8 <h2> CSR vs SSR in Next.js: From Basics to Advanced Implementation </h2> <h2> Introduction </h2> <p>When building modern web applications with Next.js, one of the most crucial decisions you'll make is choosing the right rendering strategy. Client-Side Rendering (<strong>CSR</strong>) and Server-Side Rendering (<strong>SSR</strong>) each have their strengths and use cases. This guide will walk you through everything you need to know about CSR vs SSR in Next.js.</p> <h2> What is Rendering? </h2> <p>Rendering is the process of converting your React components into HTML that can be displayed in the browser.</p> <p>Next.js supports multiple rendering methods:</p> <ul> <li><strong>CSR (Client-Side Rendering)</strong></li> <li><strong>SSR (Server-Side Rendering)</strong></li> <li><strong>SSG (Static Site Generation)</strong></li> <li><strong>ISR (Incremental Static Regeneration)</strong></li> </ul> <p>But let’s focus on CSR and SSR.</p> <h2> What is CSR? </h2> <p><strong>Client-Side Rendering (CSR)</strong> is a rendering approach where the initial HTML sent to the browser is minimal, and JavaScript running in the browser generates the content dynamically.</p> <h3> How CSR Works: </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvk3eanh3cfxj44oyrz6e.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvk3eanh3cfxj44oyrz6e.png" alt="CSR Sequence Diagram" width="800" height="418"></a></p> <h2> What is SSR? </h2> <p><strong>Server-Side Rendering (SSR)</strong> is a rendering approach where the HTML is generated on the server for each request, then sent to the browser as a fully-formed page.</p> <h3> How SSR Works: </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F98pgx79bb9h8qsfdiioj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F98pgx79bb9h8qsfdiioj.png" alt="SSR Sequence Diagram" width="800" height="418"></a></p> <h2> Key Differences </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Aspect</th> <th>CSR</th> <th>SSR</th> </tr> </thead> <tbody> <tr> <td><strong>Initial Load</strong></td> <td>Slower (JavaScript must load first)</td> <td>Faster (HTML ready immediately)</td> </tr> <tr> <td><strong>SEO</strong></td> <td>Poor (content loaded via JS)</td> <td>Excellent (content in HTML)</td> </tr> <tr> <td><strong>Server Load</strong></td> <td>Lower</td> <td>Higher</td> </tr> <tr> <td><strong>Subsequent Navigation</strong></td> <td>Faster</td> <td>Slower</td> </tr> <tr> <td><strong>User Experience</strong></td> <td>Blank page β†’ Content appears</td> <td>Content appears immediately</td> </tr> <tr> <td><strong>Caching</strong></td> <td>Easier to cache assets</td> <td>More complex caching</td> </tr> </tbody> </table></div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm86by1mpfq539jipris9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm86by1mpfq539jipris9.png" alt="Comparison Timeline" width="800" height="418"></a></p> <h2> Code Examples </h2> <h3> Client-Side Rendering Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// pages/csr-example.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span><span class="p">,</span> <span class="nx">useEffect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">CSRExample</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">data</span><span class="p">,</span> <span class="nx">setData</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">loading</span><span class="p">,</span> <span class="nx">setLoading</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// This runs only on the client</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/data</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">response</span> <span class="o">=&gt;</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">data</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setData</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="p">});</span> <span class="p">},</span> <span class="p">[]);</span> <span class="k">if </span><span class="p">(</span><span class="nx">loading</span><span class="p">)</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span>Loading...<span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;;</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h1</span><span class="p">&gt;</span>Client-Side Rendered Page<span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span>Data: <span class="si">{</span><span class="nx">data</span><span class="p">?.</span><span class="nx">message</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">CSRExample</span><span class="p">;</span> </code></pre> </div> <h3> Server-Side Rendering Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// pages/ssr-example.js</span> <span class="kd">function</span> <span class="nf">SSRExample</span><span class="p">({</span> <span class="nx">data</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h1</span><span class="p">&gt;</span>Server-Side Rendered Page<span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span>Data: <span class="si">{</span><span class="nx">data</span><span class="p">.</span><span class="nx">message</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span>Generated at: <span class="si">{</span><span class="nx">data</span><span class="p">.</span><span class="nx">timestamp</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// This function runs on the server for each request</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getServerSideProps</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Fetch data from external API</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/data</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">return</span> <span class="p">{</span> <span class="na">props</span><span class="p">:</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">data</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> <span class="p">};</span> <span class="p">}</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">SSRExample</span><span class="p">;</span> </code></pre> </div> <h2> Performance Comparison </h2> <h3> Time to First Byte (TTFB) </h3> <ul> <li> <strong>CSR</strong>: Fast TTFB (but slower content rendering)</li> <li> <strong>SSR</strong>: Slower (server processing time)</li> </ul> <h3> First Contentful Paint (FCP) </h3> <ul> <li> <strong>CSR</strong>: Slow (wait for JS execution)</li> <li> <strong>SSR</strong>: Fast (HTML ready immediately)</li> </ul> <h3> Time to Interactive (TTI) </h3> <ul> <li> <strong>CSR</strong>: Slow (dependent on JS bundle size)</li> <li> <strong>SSR</strong>: Moderate (hydration required)</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp8fhlp67k9qd9ryqlbj5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp8fhlp67k9qd9ryqlbj5.png" alt="Performance Metrics Comparison" width="800" height="418"></a></p> <h3> Performance Optimization Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// pages/optimized-ssr.js</span> <span class="k">import</span> <span class="nx">dynamic</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/dynamic</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Lazy load heavy components</span> <span class="c1">// ! `ssr: false` turns the component into a client component.</span> <span class="kd">const</span> <span class="nx">HeavyComponent</span> <span class="o">=</span> <span class="nf">dynamic</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">../components/HeavyComponent</span><span class="dl">'</span><span class="p">),</span> <span class="p">{</span> <span class="na">loading</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span>Loading...<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;,</span> <span class="na">ssr</span><span class="p">:</span> <span class="kc">false</span> <span class="c1">// Disable SSR for this component</span> <span class="p">});</span> <span class="kd">function</span> <span class="nf">OptimizedSSR</span><span class="p">({</span> <span class="nx">criticalData</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h1</span><span class="p">&gt;</span>Optimized SSR Page<span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span>Critical content: <span class="si">{</span><span class="nx">criticalData</span><span class="p">.</span><span class="nx">message</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* This component loads only on client */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nc">HeavyComponent</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getServerSideProps</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Only fetch critical data on server</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/critical-data</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">criticalData</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">return</span> <span class="p">{</span> <span class="na">props</span><span class="p">:</span> <span class="p">{</span> <span class="nx">criticalData</span> <span class="p">}</span> <span class="p">};</span> <span class="p">}</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">OptimizedSSR</span><span class="p">;</span> </code></pre> </div> <h2> When to Use What </h2> <h3> Use CSR When: </h3> <ul> <li>Building a dashboard or admin panel</li> <li>User interaction is frequent</li> <li>SEO is not a priority</li> <li>You need real-time updates</li> <li>Building a Single Page Application (SPA)</li> </ul> <h3> Use SSR When: </h3> <ul> <li>SEO is crucial</li> <li>First-page load performance matters</li> <li>Content changes frequently</li> <li>Building e-commerce sites</li> <li>Social media sharing is important</li> </ul> <h2> Advanced Topics </h2> <h3> Dynamic Imports for Code Splitting </h3> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// Advanced code splitting example</span> <span class="k">import</span> <span class="nx">dynamic</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/dynamic</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">DynamicChart</span> <span class="o">=</span> <span class="nf">dynamic</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">../components/Chart</span><span class="dl">'</span><span class="p">),</span> <span class="p">{</span> <span class="na">loading</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span>Loading chart...<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;,</span> <span class="na">ssr</span><span class="p">:</span> <span class="kc">false</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">DynamicTable</span> <span class="o">=</span> <span class="nf">dynamic</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">../components/Table</span><span class="dl">'</span><span class="p">),</span> <span class="p">{</span> <span class="na">loading</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span>Loading table...<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">});</span> <span class="kd">function</span> <span class="nf">AdvancedCSR</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">view</span><span class="p">,</span> <span class="nx">setView</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">'</span><span class="s1">chart</span><span class="dl">'</span><span class="p">);</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">nav</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">setView</span><span class="p">(</span><span class="dl">'</span><span class="s1">chart</span><span class="dl">'</span><span class="p">)</span><span class="si">}</span><span class="p">&gt;</span>Chart View<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">setView</span><span class="p">(</span><span class="dl">'</span><span class="s1">table</span><span class="dl">'</span><span class="p">)</span><span class="si">}</span><span class="p">&gt;</span>Table View<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">nav</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">view</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">chart</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="p">&lt;</span><span class="nc">DynamicChart</span> <span class="p">/&gt;</span><span class="si">}</span> <span class="si">{</span><span class="nx">view</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">table</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="p">&lt;</span><span class="nc">DynamicTable</span> <span class="p">/&gt;</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Streaming SSR (React 18+) </h3> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// pages/streaming-ssr.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Suspense</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">SlowComponent</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Simulate slow component</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">((</span><span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="mi">3000</span><span class="p">));</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span>Slow loading content<span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;;</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">StreamingSSR</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h1</span><span class="p">&gt;</span>Streaming SSR Example<span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span>This content loads immediately<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Suspense</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span>Loading slow content...<span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">SlowComponent</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">Suspense</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">StreamingSSR</span><span class="p">;</span> </code></pre> </div> <h3> Edge-Side Rendering with Middleware </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// middleware.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">country</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">geo</span><span class="p">?.</span><span class="nx">country</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">US</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Customize response based on location</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">();</span> <span class="nx">response</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">x-country</span><span class="dl">'</span><span class="p">,</span> <span class="nx">country</span><span class="p">);</span> <span class="k">return</span> <span class="nx">response</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/api/:path*</span><span class="dl">'</span> <span class="p">};</span> <span class="c1">// Note: Middleware runs before requests but cannot render HTML. it's useful for things like redirects, geolocation, or A/B testing logic.</span> </code></pre> </div> <h2> Best Practices </h2> <h3> 1. Choose the Right Rendering Strategy </h3> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// Decision matrix in code</span> <span class="kd">const</span> <span class="nx">getRenderingStrategy</span> <span class="o">=</span> <span class="p">(</span><span class="nx">pageType</span><span class="p">,</span> <span class="nx">requirements</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">requirements</span><span class="p">.</span><span class="nx">seo</span> <span class="o">&amp;&amp;</span> <span class="nx">requirements</span><span class="p">.</span><span class="nx">freshData</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">SSR</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">requirements</span><span class="p">.</span><span class="nx">interactivity</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">requirements</span><span class="p">.</span><span class="nx">seo</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">CSR</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">Hybrid</span><span class="dl">'</span><span class="p">;</span> <span class="p">};</span> </code></pre> </div> <h3> 2. Optimize Bundle Size </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// next.config.js</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="na">experimental</span><span class="p">:</span> <span class="p">{</span> <span class="na">css</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="na">webpack</span><span class="p">:</span> <span class="p">(</span><span class="nx">config</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">config</span><span class="p">.</span><span class="nx">optimization</span><span class="p">.</span><span class="nx">splitChunks</span><span class="p">.</span><span class="nx">chunks</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">all</span><span class="dl">'</span><span class="p">;</span> <span class="k">return</span> <span class="nx">config</span><span class="p">;</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h3> 3. Implement Progressive Enhancement </h3> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// Progressive enhancement example</span> <span class="kd">function</span> <span class="nf">ProgressiveForm</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">isClient</span><span class="p">,</span> <span class="nx">setIsClient</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setIsClient</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="p">},</span> <span class="p">[]);</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">form</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="p">=</span><span class="s">"text"</span> <span class="na">name</span><span class="p">=</span><span class="s">"name"</span> <span class="na">required</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="p">=</span><span class="s">"email"</span> <span class="na">name</span><span class="p">=</span><span class="s">"email"</span> <span class="na">required</span> <span class="p">/&gt;</span> <span class="si">{</span><span class="cm">/* Enhanced features only on client */</span><span class="si">}</span> <span class="si">{</span><span class="nx">isClient</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">AutoComplete</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nc">RealTimeValidation</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">)</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">type</span><span class="p">=</span><span class="s">"submit"</span><span class="p">&gt;</span>Submit<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">form</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> 4. Error Handling and Loading States </h3> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// Comprehensive error handling</span> <span class="kd">function</span> <span class="nf">RobustSSR</span><span class="p">({</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">})</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nc">ErrorComponent</span> <span class="na">error</span><span class="p">=</span><span class="si">{</span><span class="nx">error</span><span class="si">}</span> <span class="p">/&gt;;</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h1</span><span class="p">&gt;</span>Robust SSR Page<span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">data</span><span class="p">?.</span><span class="nx">message</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getServerSideProps</span><span class="p">()</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/data</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">res</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to fetch data</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">return</span> <span class="p">{</span> <span class="na">props</span><span class="p">:</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">props</span><span class="p">:</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">}</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Conclusion </h2> <p>Choosing between CSR and SSR in Next.js isn't about picking one over the other, it's about understanding your application's requirements and users needs. Here's a quick recap:</p> <ul> <li> <strong>Use SSR</strong> for SEO-critical pages and better initial load performance</li> <li> <strong>Use CSR</strong> for highly interactive applications where SEO isn't a priority</li> </ul> <p>Next.js makes it easy to implement any of these strategies, and you can even mix them within the same application. The key is to profile your application, understand your users' journey, and choose the rendering strategy that provides the best user experience.</p> <p>Remember: <strong>Performance is not just about fast loading, it's about the right content being available at the right time for your users.</strong></p> <p>πŸ“š Further Reading: <a href="https://nextjs.org/docs/app/getting-started/server-and-client-components" rel="noopener noreferrer">Server and Client Components</a></p> webdev nextjs javascript react ✨Mood-based Travel Poster Generator✈️ Khaled Saeed Fri, 11 Jul 2025 22:27:13 +0000 https://dev.to/khaledsaeed18/mood-based-travel-poster-generator-a2d https://dev.to/khaledsaeed18/mood-based-travel-poster-generator-a2d <p><em>This post is my submission for <a href="https://dev.to/deved/build-apps-with-google-ai-studio">DEV Education Track: Build Apps with Google AI Studio</a>.</em></p> <h2> What I Built </h2> <p>I built a <strong>Mood-based Travel Poster Generator</strong>, an AI-powered app that creates unique travel posters based on the user's current mood. I used this prompt in Google AI Studio:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>"Build a web app that take the user current mood. Based on the mood, the app suggests a matching travel destination and generates a travel poster using Imagen. The image should reflect both the emotion and the destination’s essence (e.g., 'melancholic' β†’ rainy Venice; 'curious' β†’ ancient ruins in Peru). Include a 'Regenerate Poster' button to create a new variation. Add a simple UI with a text input and a dropdown of mood presets." </code></pre> </div> <h2> Demo </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fslltw898m6t7sk9tjucz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fslltw898m6t7sk9tjucz.png" alt="Mood: Cosy- Style: Vintage" width="800" height="421"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fef12q157xo3rtpobriy4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fef12q157xo3rtpobriy4.png" alt="Mood: Elegent - Style: Impressionist" width="800" height="416"></a></p> <h2> My Experience </h2> <p>This project was a great exercise in blending creativity and technical design. I learned how to:</p> <ul> <li>Structure prompts for more stylized image outputs</li> <li>Use the Imagen API effectively for emotion-to-visual mapping</li> </ul> <p>Thanks to Google AI Studio and DEV for making this learning experience fun and creative!</p> deved learngoogleaistudio ai gemini Automatically Set Access Tokens in Postman After Login (No More Copy-Paste) Khaled Saeed Mon, 07 Jul 2025 08:44:20 +0000 https://dev.to/khaledsaeed18/automatically-set-access-tokens-in-postman-after-login-no-more-copy-paste-19mi https://dev.to/khaledsaeed18/automatically-set-access-tokens-in-postman-after-login-no-more-copy-paste-19mi <h2> Automatically Set Access Tokens in Postman After Login (No More Copy-Paste!) </h2> <p>If you're working with APIs that use access tokens (like JWTs), you've probably dealt with the annoying routine:</p> <ol> <li>Send a <code>POST /login</code> request</li> <li>Copy the access token from the response</li> <li>Paste it into the <code>Authorization</code> header of every other request</li> </ol> <p>😩 Repeating this every time the token expires gets old fast.</p> <h2> πŸš€ What if you could automate it? </h2> <p>This guide shows you how to <strong>extract the token automatically after login and set it as a dynamic environment variable</strong> in Postman. Then you can reuse it in any request, no manual copying needed!</p> <h2> πŸ“¦ Step 1: Create or Select a Postman Environment </h2> <ol> <li>Click <code>New Environment</code> in the top right of Postman</li> <li>Add a new environment (e.g., <code>Local API</code>)</li> <li>Add a variable called <code>accessToken</code>, <strong>set the type to <code>secret</code></strong>, and leave the <strong><code>initial value</code> empty</strong> </li> </ol> <h2> πŸ§ͺ Step 2: Add a Script to Your Login Request </h2> <p>In your <code>POST /api/v1/auth/login</code> request, go to the Scripts section, then select the Post-response tab and add this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">res</span><span class="p">.</span><span class="nx">success</span> <span class="o">&amp;&amp;</span> <span class="nx">res</span><span class="p">.</span><span class="nx">data</span> <span class="o">&amp;&amp;</span> <span class="nx">res</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">accessToken</span><span class="p">)</span> <span class="p">{</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">accessToken</span><span class="dl">"</span><span class="p">,</span> <span class="nx">res</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">accessToken</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">βœ… accessToken saved to environment</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">❌ Failed to extract accessToken</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> πŸ’¬ What does this script do? </h3> <ul> <li>It parses the JSON response returned from your login request.</li> <li>It checks if the response contains a valid <code>accessToken</code>.</li> <li>If so, it stores the token in your environment as <code>accessToken</code>, making it available across all your other API requests.</li> <li>You’ll see a confirmation in the Postman console.</li> </ul> <p>You can also save more fields if needed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">pm</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">refreshToken</span><span class="dl">"</span><span class="p">,</span> <span class="nx">res</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">refreshToken</span><span class="p">);</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">userId</span><span class="dl">"</span><span class="p">,</span> <span class="nx">res</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> </code></pre> </div> <h2> 🧷 Step 3: Use the Token in Other Requests </h2> <p>Once the <code>accessToken</code> is saved as an environment variable, you can inject it automatically into your other requests.</p> <h3> βœ… Option 1: Use the Authorization Tab </h3> <ol> <li>In your API request, go to the <strong>Authorization</strong> tab </li> <li>Select <strong>Bearer Token</strong> for the <strong>Auth Type</strong> </li> <li>Set the token to <code>{{accessToken}}</code> </li> </ol> <h3> βœ… Option 2: Set the Header Manually </h3> <p>Instead of using the Authorization tab, you can manually add a header:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Authorization: Bearer {{accessToken}} </span></code></pre> </div> <p>That’s it! Now your token will automatically update after each login and be used wherever <code>{{accessToken}}</code> is referenced.</p> <h2> 🎁 Bonus: Automate Token Refresh (Optional) </h2> <p>If your API provides a <code>refreshToken</code> flow (e.g., <code>POST /refresh-token</code>), you can automate that too!</p> <p>Create a separate request for refreshing the token, and add a <strong>Post-response</strong> script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">res</span><span class="p">.</span><span class="nx">newAccessToken</span><span class="p">)</span> <span class="p">{</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">accessToken</span><span class="dl">"</span><span class="p">,</span> <span class="nx">res</span><span class="p">.</span><span class="nx">newAccessToken</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">πŸ”„ accessToken refreshed and updated</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Then you can call this request manually or as a pre-request step if a 401 is detected.</p> <h2> 🧠 Summary </h2> <p>Here’s what you’ve accomplished:</p> <p>βœ… Automatically saved your <code>accessToken</code> from the login response<br><br> βœ… Injected the token into future requests using dynamic variables<br><br> βœ… Removed the need for manually copying and pasting tokens<br><br> βœ… Optionally prepared for refresh token logic </p> <h2> 🏁 Conclusion </h2> <p>This small but powerful automation trick can save you a <strong>lot</strong> of time, especially when working with authenticated APIs during development or testing.</p> <p>No more expired tokens or constant back-and-forth between tabs!</p> <p>Let me know if you’d like a follow-up guide on chaining token refresh logic or fully automating session flows in Postman and I’d love to hear how you’re using Postman in your workflow.</p> <p>Happy testing! πŸ™Œ</p> postman api automation productivity