JWT , Access and Refresh Token

Most of the new developers get in trouble while learning JWT , access and refresh token. No worries, I will try to explain these topic with simple and less technical language possible.

So let’s begin with the first very simple and important question.

Why to Study JWT , Access and Refresh Token ?

Many of the websites and apps that we use , rely on these for secure logins. Knowing how they work helps you trust the application you interact with.

And if you are a developer, understanding these concept is important for you to build secure and user friendly applications.

And in the era of AI and cyber attacks it is important to understand tokens and how they work , to be more aware of potential security risk and take steps to protect your personal information online.

Now let’s understand,

What they are.

JWT = Json Web Token

Imagine a JWT as a digital note with two parts

1. Information Section : This part contains details about you. Like for ex. you name , id etc.
2. Signature : It is a special signature created by authorization server, to prove that note is genuine.

This note can be securely sent between two parties to send important information.

and for more technical definition have a look at this

JSON Web Token (JWT) is an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

secure : The information is encrypted

compact : Written in a format called JSON. Easy for computers to understand.

Self - Contained : Information inside JWT is enough to verify it’s authenticity.

Access Token

Access Tokens : Think of access token as your actual note, that you can use to checkout your resources. It contains the information section of JWT, with a short expiration time. Ranging from minutes to hours due to security reasons.

Refresh Token

Refresh Tokens : This is a separate code that you get from an authorization server to get new access token with fresh information and expiration time, after the previous one is expired. It has a longer lifespan, often lasting days or weeks.

When the access token is expired , then the application will use the refresh token to request a new access token from the authorization server. The server will verify the refresh token and will issue a new access token in response. This will continue until the refresh token itself expires or is revoked.

Here’s the flow : -

1. You login to the website ( authorization server )
2. The website verifies your id and password and creates a JWT.
3. The JWT is split : the information section become access token and the signed portion stays with server.
4. You get the access token and refresh token (separate code)
5. You send the access token with your request to access the data.
6. When the access token expires, you use the refresh token to request a new JWT from the server.
7. The server verifies the refresh token and send you a new JWT with a new access token ( fresh information and expiration ).

Now we should discuss the last and important question

Why to use them ?

1. Improve user experience = no need to log in repeatedly.
2. Enhanced Security = access tokens have short lifespans.
3. Reduced server load = no need to store session data for each request.
4. Standardized format = Everyone understands the format of a JWT, making it easy for different systems to work together.

In summary, JWTs provide a secure and compact way to transmit information, access tokens are short-lived JWTs used for API access, and refresh tokens are longer-lived JWTs used to obtain new access tokens when needed, enabling a smooth and secure authentication flow.