Suppose you are Working on something Very Serious and for every action you perform the service platform asks for your ID and Password for security purposes every time now that will ruin your seriousness.Web Tokens are like your unique VIP passes that let you skip these formalities and enjoy your serious mood While they fill your details in the background
Now you can tell that these tokens are sensitive and should not be shared with Anyone that’s why generally Two tokens are used in Modern Days to get more security
Access Tokens
These tokens are Short-lived as they expire in a short amount of time and then it is useless to anyone who holds them, providing security against time
Here the idea was to generate a limited time VIP pass for users
Refresh Tokens
Why need a second token?
after accessToken is expired the user have to again fill the details himself to renew his token daily,weekly or monthly which is not good for a service providing platform with lifetime users
- Introducing Refresh Tokens
Refresh Tokens last longer than accessToken and are stored on the user’s and server’s databases. When the accessToken expires, the server compares the user’s refreshToken with the one saved in the server’s database. It then renews the accessToken and extends the refreshToken’s duration.
Summary
Web Tokens act as VIP passes for users, allowing them to bypass repetitive login requests and maintain a seamless experience. In modern security practices, two types of tokens are commonly used for enhanced protection:
- AccessToken: Short-lived tokens that expire quickly, enhancing security by limiting their usefulness over time.
- RefreshToken: Longer-lasting tokens stored on both user and server databases.
- Used to renew access tokens automatically, preventing users from repeatedly entering their details.
- Refresh tokens help maintain a continuous service for users without frequent interruptions.
Source: hashnode.com