Protocols and standards like Open Authorization (OAuth 2.0) and OpenID Connect (OIDC) rely on tokens rather than traditional credentials to grant users access to sensitive resources. Users experience a smoother and more secure login process when these standards are used.
In the context of OAuth, there are two types of tokens: access and refresh. And when discussing refresh tokens vs access tokens, you might wonder how they compare.
Access and refresh tokens can utilize several formats, but the most common form for both is the JSON Web Token (JWT). This compact, self-contained format has become the gold standard for delivering sensitive auth-related information across a variety of platforms.
Let’s walk through the similarities and differences between access and refresh tokens.
What is an access token?
An access token is a digital asset, typically a JWT, facilitating seamless access to resources through OAuth and other passwordless auth configurations. These tokens act as keys that allow users to access sensitive information without repeated login requests.
The typical process for authorization through access tokens goes like this:
A client app requires authorization from a user to grant them access
The user permits an authorization server to send an authorization code to the client
The authorization server issues an access token upon client request
The client validates the token and grants the user access to resources
Access tokens usually have very short lifespans; in many cases, they last only a few hours. For example, access token lifespans in Microsoft’s identity platform are between 30-90 minutes by default. These are also variable, assigned randomly to a value in the range.
What is a refresh token?
Refresh tokens extend the lifespan of an access token. Typically, they’re issued alongside access tokens, allowing additional access tokens to be granted when the live access token expires. They’re usually stored securely on the authorization server itself.
Refresh tokens work with access tokens to facilitate long-lived sessions without repeated logins.
Refresh tokens are not useful independently from access tokens – they are used exclusively in relation to them. They’re not strictly necessary, and apps can use OAuth without them, but they do provide benefits in terms of greater UX and security.
Another major differentiating factor for refresh tokens is that they last much longer than access tokens. For example, refresh tokens in Microsoft’s identity platform have default and rigid (non-configurable) lifespans of 90 days for most scenarios and 24 hours for single-page apps.
Comparing access tokens vs refresh tokens
Baseline access is provided in the form of access tokens, whereas refresh tokens play a key role in maintaining sessions through extended periods of use.
As noted, access tokens and refresh tokens are not separate entities. They work together in cases where refresh tokens are used to power seamless and secure long-term authentication.
That said, they are distinct. Here’s how the two tokens stack up across three critical factors:
| Access tokens | Refresh tokens |
|---|---|---|
User experience/interface | Authenticate and authorize users up-front | Users are re-authorized without re-authenticating |
Transmission and storage | Tokens are sent over secure channels (HTTPS) and then stored on client servers | Tokens are sent over HTTPS, like access tokens, but stored on the authorization server |
Security considerations | Short life spans, encryption, and the ability to revoke access power strong security | Longer life spans are offset by less frequent refreshes and greater revocation ability |
With these differences in mind, the token you prioritize for your auth depends on your use case.
When to use each type of token
Access tokens are one of the best options if you’re considering a passwordless auth solution for your next software project. Some of their optimal use cases are situations where users require access to shared resources.
When users require authentication to access or modify files owned by others, access tokens can streamline this process.
In most cases, when you use access tokens, it’s also sensible to use refresh tokens. For example, if users are likely to remain logged in for extended periods (or indefinitely) forcing them to re-authenticate regularly could cause friction. Refresh tokens remove that necessity without compromising on security.
However, there are also cases wherein extended access is optional. In these cases, refresh tokens might not be needed.
Drag-and-drop authentication with Descope
Access and refresh tokens are indispensable parts of modern authentication and authorization processes. By understanding and implementing these tokens, organizations can provide a frictionless and secure experience for their end users.
Looking to simplify token management for your app? Descope’s no / low code CIAM platform helps organizations easily add authentication, authorization, and identity management to their apps using drag-and-drop workflows. Sign up for a Free Forever account or schedule a consultation with our authentication experts to get started.
