Access Token vs Refresh Token
Access Token
Pros
- Sent with every API request
- Short-lived (15–60 min) limits exposure
- Contains authorization claims
- Stateless verification with JWT
Cons
- Frequently transmitted — higher interception risk
- Cannot be long-lived without security tradeoffs
- Larger than opaque session IDs
Refresh Token
Pros
- Long-lived — better user experience
- Used only against auth endpoint (less exposure)
- Enables token rotation on each use
- Can be opaque with server-side revocation
Cons
- Higher impact if stolen
- Requires secure storage (httpOnly cookie)
- Needs server-side tracking for rotation/revocation
Verdict
Use short-lived access tokens (15–60 minutes) for API authorization and refresh tokens for obtaining new access tokens without re-login. Access tokens carry claims and travel on every request, so keep them brief. Refresh tokens hit only your auth endpoint and should live in httpOnly cookies with rotation on each use. Never substitute a long-lived access token for a refresh token — the exposure window is too large. This dual-token pattern balances security and user experience in modern auth flows.
Related Tools
Deeper Reading
Frequently Asked Questions
How long should each token live?
Access: 15–60 minutes. Refresh: days to weeks with rotation.
Should refresh tokens be JWTs?
Opaque tokens with server lookup are easier to revoke; JWT refresh tokens work with short exp and rotation.