What Are Refresh Tokens? When & How to Use Them (2024)

Ever wondered how amazing it would be if an application knows you are trying to access it, without having to re-validate your credentials time and again?!

Let's say you try accessing the application after a day or two, or even at the end of an entire week, and somehow... magically (not really xD) the system just knows it's you.

Furthermore, the Security aspect of the app being completely robust, no other individual with malicious intent can access confidential information. Now that's music to a developer's ears -- or, at least, a powerful way to secure applications and systems at scale.

Before diving into the know-hows of refresh tokens, let's understand why it is even needed in the first place.

Conventional Approach of Securing Apps

Many applications utilize the so-called token-based authentication to permit a user to access information (or resources) that would normally not be available for the general public (unauthenticated users).

A token is an unique approval given to you (more like a digital signature) for accessing any resource. The application issues it to you once you have authenticated yourself with valid credentials. These tokens are generally short-lived, i.e., valid only for a short amount of time (say 5-15 minutes). This is plenty for you to perform a particular task requiring validation but makes it harder for individuals with malicious intent to get their hands on confidential resources. Now, until the token expires, the user would not have to enter the credentials again.

Refresh Tokens to The Rescue

We can clearly make out that access tokens overall provide better security but hampers the user experience (UX) of the application. Imagine having to log in again and again just because the application has to make sure that you're still, well... you!

Here is where refresh tokens come to the rescue. A refresh token just helps you re-validate a user without them having to re-enter their login credentials multiple times. The access token is re-issued, provided the refresh token is a valid one requesting permission to access confidential resources. This method provides an enhanced user experience all while keeping a robust security interface.

OAuth 2.0 is a popular authentication framework that essentially allows client applications to access resources provided by other applications & servers on behalf of the user. This architecture leverages the benefits of utilizing access and refresh tokens.

Now, having discussed the impact a refresh token has on enhancing the user experience of the application, is there any other benefit to using them?

It is true that, generally, web applications and SPAs (Single-Page Applications) are meant to have short-term access to any resource leveraging authentication. When you do need access after a few days to the resources, you could definitely log in again, right? So why bother setting up refresh tokens?

When to use Refresh Tokens?

The main purpose of using a refresh token is to considerably shorten the life of an access token. The refresh token can then later be used to authenticate the user as and when required by the application without running into problems such as cookies being blocked, etc. If that does not make much sense, think of it this way:

When a browser makes a request to an API endpoint to use a resource provided only to authenticated users, the application would require the credentials of the user. And upon authentication (login), the application on the user's browser is granted access to the resource. This access is provided by sharing an access token with the user's browser so that subsequent API calls from the browser -- which requires the credentials -- can be sent without any hassle.

Now in the process of sharing the access token with the user, the system may also provide a refresh token that would later authenticate the user while making the subsequent API calls -- even if the access token has expired -- by requesting a new access token when required.

Hence, the refresh tokens allow applications to obtain new access tokens utilizing mere API calls without any need of having users approve cookies, login multiple times, etc.

Drawbacks and Ways to Conquer

It's also true that you may not need the "added superpowers" offered by the refresh tokens to keep the user session and experience smooth. After all, methods such as cookies and silent authentication are beneficial in their own ways too! Let's talk about a scenario when refresh tokens might actually turn out to be an application's kryptonite... (not really xD).

If a refresh token is compromised (someone else got their hands on it or, even worse -- steals it), the individual would not only gain access to the resources provided by the API but also the amount of time the access has been granted would be more. Now that's a dreadful scenario for developers and users alike.

Having said that, counter-measures such as Refresh Token Rotation and Automatic Reuse Detection help limit the destructive nature -- and highlight the benefits of these refresh tokens.

In such methods, when a refresh token is utilized to access any resource, the system not only responds with the access token but also with a new refresh token in turn. Any subsequent API requests can be made through newer refresh tokens from there onwards. If a request is made utilizing an older refresh token, the request is efficiently rejected (assuming the person/client requesting is unauthenticated).

Also, Risk-Based Authentication (RBA) method suggests that if a refresh token is utilized multiple times, the tokens are revoked; thereby, preventing further access to valuable resources. Such a mechanism further helps strengthen the security of applications using refresh tokens.

Conclusion

Refresh Tokens are really a consummate way of providing sturdy security all while providing a great experience for users, provided it being used in appropriate ways. That being said, it might not be completely essential for your applications and their needs, so the final decision rests with you.

I hope this blog provided an insight into refresh tokens and how you may utilize these in your applications. Thanks for reading!

FAQs

What Are Refresh Tokens? When & How to Use Them? ›

A refresh token is a special token that is used to obtain more access tokens. This allows you to have short-lived access tokens without having to collect credentials every time one expires.

Read On ›

When should I use the refresh token? ›

When to use Refresh Tokens? The main purpose of using a refresh token is to considerably shorten the life of an access token. The refresh token can then later be used to authenticate the user as and when required by the application without running into problems such as cookies being blocked, etc.

Discover More Details ›

Should refresh tokens be reused? ›

Reusable refresh tokens do exactly what they say on the tin: the client application uses and reuses the refresh token each time it needs a new access token. In contrast, rotated refresh tokens are only usable one time.

What is the difference between token and refresh token? ›

The access token is used to authenticate API requests to access protected resources, while the refresh token is used to obtain new access tokens once the current ones expire.

See Details ›

Do refresh tokens expire? ›

Refresh tokens have a longer lifetime than access tokens. The default lifetime for the refresh tokens is 24 hours for single page apps and 90 days for all other scenarios. Refresh tokens replace themselves with a fresh token upon every use.

Find Out More ›

How do I use a refresh token? ›

Use a refresh token

To refresh your access token and an ID token, you send a token request with a grant_type of refresh_token . Be sure to include the openid scope when you want to refresh the ID token. If the refresh token is valid, then you get back a new access token, a new ID token, and the refresh token.

Tell Me More ›

What is the benefit of a refresh token? ›

Here are the main benefits of using refresh tokens: Continuous access: Users enjoy uninterrupted access to applications without frequent re-logins. Enhanced security: Long-lived refresh tokens reduce the risk of access token theft, as the tokens used to access resources are short-lived and expire quickly.

Show Me More ›

Can someone steal refresh token? ›

Perhaps this could be the case — the attacker could only steal a few of the victim's packets — but it doesn't seem to solve the general problem. An attacker can steal a refresh token and use it to generate new access tokens. The outcome is the same as if they stole a long-lived access token.

Explore More ›

Where is the refresh token stored? ›

You Can Store Refresh Token In Local Storage

Storing tokens in browser local storage provides persistence across page refreshes and browser tabs; however, if malicious users managed to run JavaScript in the SPA using a cross-site scripting (XSS) attack, they could retrieve the tokens stored in local storage.

How to decode a refresh token? ›

@bsrour You don't “decode” a refresh token. Refresh tokens are just strings. You use refresh tokens to extend the lifetime of an OAuth access token. If either the access token or refresh token have expired, then the user will need to authorise your application again.

Show Me More ›

Should refresh tokens be stored? ›

Store refresh tokens securely

Depending on your application, you'll need to secure refresh tokens for future use until they expire. For native applications connected to APIs, refresh tokens can be stored in long-term storage like relational and non-relational databases.

Read The Full Story ›

What is the logic behind refresh token? ›

Refresh token allow users to log in and stay connected without providing their passwords for long periods. Further, they add a layer of security for sensitive data, improving the user experience. Refresh tokens can last from a few days to a few months.

See Details ›

What is the best practice for refresh token expiration? ›

Best practice

Set the expiration time for refresh tokens in such a way that it is valid for a little longer period than the access tokens. For example, if you set 30 minutes for access token then set (at least) 24 hours for the refresh token.

Get More Info Here ›

When should you not use refresh token? ›

Can refresh token be used twice? ›

These concurrent requests may happen within a few milliseconds. However once the refresh token is used to retrieve a new access token it cannot be reused, which causes the subsequent requests with the same refresh token to fail.

Should refresh tokens be rotated? ›

Refresh token rotation offers a remediation to end-user sessions being lost due to side-effects of browser privacy mechanisms. Because refresh token rotation does not rely on access to the Auth0 session cookie, it is not affected by ITP or similar mechanisms.

View Details ›

Should I use refresh token with JWT? ›

Typically, JWTs have an expiration time or exp claim, ensuring that they're valid for a particular duration. However, one of the challenges in JWT-based systems is managing the token expiration and ensuring continuous user sessions. This is where the role of a refresh token becomes pivotal.

Should the client store the refresh token? ›

Finally, when using refresh tokens, make sure to store them in their own cookies. There is no need to send them with every API request, so ensure that this is not the case. Refresh tokens must only be added when refreshing expired access tokens.

Learn More ›