Refresh Token

A refresh token is a long-lived credential used to obtain new access tokens without requiring the user to log in again. Refresh tokens are typically opaque (random strings stored server-side) or JWTs with longer expiration. Each use should ideally issue a new refresh token (rotation) to detect theft. They are exchanged at a dedicated token endpoint, not sent with every API request like access tokens. Implementations across Node.js, Python, Go, Ruby, and Java follow the same RFC standards, so concepts transfer directly between stacks. Security reviews should treat this as part of your full authentication threat model, not an isolated configuration detail.

Why It Matters

Refresh tokens enable good UX (stay logged in) while keeping access tokens short-lived. Compromised refresh tokens are more dangerous than stolen access tokens because they persist longer. Store them in httpOnly cookies, implement rotation, and maintain a revocation list for immediate logout. Getting this wrong often surfaces only after an incident, when forged or replayed tokens expose gaps in validation or secret handling. Platform teams should encode these rules in libraries, linting, and deployment checklists so individual services cannot drift silently. Pair technical controls with monitoring: log verification failures, track unusual token lifetimes, and alert on spikes in 401 responses.

Related Terms

Related Comparisons

Related Tools

Related Articles

Frequently Asked Questions

Should refresh tokens be JWTs?

They can be, but opaque tokens with server-side lookup are easier to revoke immediately when compromise is suspected. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.

How long should refresh tokens live?

Days to weeks, depending on security requirements. Rotate on each use and revoke on logout or password change. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.

Where is the refresh token sent?

To the token endpoint over HTTPS, typically not attached to every resource request like a bearer access token. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.