What is Access Token?

Access tokens are credentials encrypted using the JSON web token (jwt), access token contains data that grant access to protected resources on the server. The client (browser or app) is expected to attach the token to protected resources in order to access them, hence the name access token.

The access token is generated by the server on client authentication, and the access token received by the client is passed back to the server which informs the server that the client has access to the resources. For security reasons, a short expiry time should be passed as an option when generating a new access token.

The access token can be used as authentication and authorization, authentication determines if the user has access to the resources while authorization determines if the user has enough privilege to access the resource, the user must be authenticated before checking the authorization level.

Refresh Token and Refresh Token Rotation

Since the access token has a short time frame, hence the need for a refresh token, it is not a good user experience to always show your user the login screen once the access token expires. Refresh token is used to generate an access token once it is expired, similar to an access token it is also encrypted using the jwt but with a longer expiry time when compared with an access token.

Refresh token rotation is the use of a refresh token once to generate a new access token, with refresh token rotation, a refresh token can not be used twice regardless of its expiry time. To accomplish this the refresh token is stored in the database which is updated on every request for a new access token and authentication