Swiftorial Logo
Home
Swift Lessons
Matchuup
CodeSnaps
Tutorials
Career
Resources

Access Token vs Refresh Token

Overview

Access tokens and refresh tokens are core components of OAuth 2.0 and modern authentication systems. The access token is a short‑lived credential that grants clients permission to access protected resources, while the refresh token allows clients to obtain new access tokens without re‑authenticating the user. Together, they balance security, performance, and user experience.

OAuth 2.0 defined in RFC 6749; JWTs in RFC 7519.

Section 1 - Core Mechanisms

Access Token Structure:

// Example JWT Access Token Payload
{
  "iss": "https://auth.example.com/",
  "sub": "user123",
  "aud": "https://api.example.com/",
  "exp": 1682000000,
  "iat": 1681999000,
  "scope": "read:messages write:messages",
  "jti": "abc123"
}

Refresh Token Properties:

// Refresh Token (opaque by default)
"8xLOxBtZp8"

Access tokens (especially JWTs) are self‑contained and can be validated statelessly, whereas refresh tokens are typically opaque strings mapped to server‑side records and validated via introspection (RFC 7662).

Section 2 - Implementation Details

Token Issuance Flow:

  1. User authenticates and consents via authorization endpoint.
  2. Authorization server issues access_token and refresh_token.
  3. Client stores access token in memory and refresh token in HTTP-only, Secure cookie.

Token Refresh Request:

POST /oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&
refresh_token=8xLOxBtZp8&
client_id=abc123

On validation, the server issues a new access token (and rotates the refresh token if configured), ensuring compromised tokens cannot be reused indefinitely.

Section 3 - Security Considerations

Access Token Threats:

  • Bearer tokens are susceptible to replay if intercepted.
  • Mitigations: Enforce TLS, short TTL, audience/audience checks.

Refresh Token Threats:

  • Long‑lived tokens are high‑value targets for exfiltration.
  • Mitigations: Store in HTTP-only Secure cookies, implement rotating refresh tokens with sliding expiration.

Public clients should use PKCE to protect refresh flows from interception.

Section 4 - Standards & Protocols

  • RFC 6749: OAuth 2.0 Authorization Framework
  • RFC 6750: Bearer Token Usage
  • RFC 7519: JSON Web Token (JWT)
  • RFC 7662: OAuth 2.0 Token Introspection
  • RFC 7009: OAuth 2.0 Token Revocation

Section 5 - Comparison Table

Dimension Access Token Refresh Token
Token Format JWT (self-contained) or opaque Opaque string or JWT
Validity Short-lived (minutes) Long-lived (days to months)
Storage Memory, secure storage HTTP-only, Secure cookie
Validation Signature + claims checks Server-side introspection
Rotation Renew via refresh token Rotate on each use (sliding window)
Revocation Blacklist or TTL expiry Immediate via revocation endpoint
Use Cases API access, microservices SSO, session continuity
Primary Spec RFC 6750, RFC 7519 RFC 6749, RFC 7009

Conclusion

Access and refresh tokens together enable a secure, performant authentication lifecycle. Use access tokens for short-term, stateless authorizations and refresh tokens for session continuity. Enforce strict storage, rotation, and validation policies to defend against advanced token-based attacks.

Architect's Tip: Adopt rotating refresh tokens with introspection and revocation for maximum resilience.