Skip to content

Refresh Token

Medium — good to knowSecurity

ELI5 — The Vibe Check

A Refresh Token is a long-lived secret that gets you new access tokens without re-logging in. Your access token expires every 15 minutes, but your refresh token lasts days or weeks. It's like having a VIP card that lets you get fresh day passes without going through registration again.

Real Talk

Refresh tokens are long-lived credentials used to obtain new access tokens without re-authentication. They're stored securely (HttpOnly cookies, secure storage), never sent to resource servers, and should be rotated on each use. If compromised, they represent a higher risk due to their longer lifetime.

When You'll Hear This

"The refresh token is stored in an HttpOnly cookie — JavaScript can't touch it." / "When the access token expires, the client silently uses the refresh token to get a new one."

Related Terms

Access Token

An Access Token is your short-lived pass to access an API. It proves you're authenticated and what you're allowed to do.

beginnerSecurity

JWT Security

JWT Security is about not screwing up JSON Web Tokens.

intermediateSecurity

OAuth (Open Authorization)

OAuth is the system behind 'Login with Google.' Instead of making a new account, you let Google vouch for you.

intermediateBackend

Token Rotation

Token Rotation means regularly replacing your tokens with fresh ones. Old token out, new token in.

intermediateSecurity
Back to Browse Random Term

Made with passive-aggressive love by manoga.digital. Powered by Claude.