Refresh Token vs Access Token

What is an Access Token?

An access token, typically JWT, is an encrypted thing that saves the time of the user and the server cost the website owner. But what actually is it? It is an encrypted token or string that is equal (when it got decrypted) to the user’s email, password, and other credentials. We can encrypt and decrypt it by using different packages in my code.

Access token are stored in the browser and remember the user; whenever a user came, it does not need to log in again and again. But the access token is short-lived, i.e., 1-2 days. But if you noticed that it’s been a long time since you have logged into YouTube or Google, but how are they not using an access token, or is there something else? Yes, there is something else: you cannot store the direct or clear information of the user directly in the browser. There are some ways to get data from a browser.

Also, you cannot store an access token for a long time because it can easily be decrypted.

Then, refresh token comes into the market.

What is a Refresh Token?

Refresh token are long-lived as compared to access token, they last around 10-15 days. Refresh token basically help in the process of generating an new access token.

How does the process go?

When a user logs in to any website.

User provides their credentials, like email, password, etc.

The credentials go to the server, the server then makes it in refresh and access token and sends it to the browser, the browser stores it in local storage.

When the user again visits the website, the user does not need to give his credentials again; the browser automatically sends an access token to the server to check/validate; the server validated it and then grants access to the user to their profile.

When the access token expires (due to security issues) then the browser sends the refresh token to the server, the server validates it, and then sends the new access token to the browser.