We use cookies to ensure you get the best experience on our website.

7 min read
Refresh tokens
Are you using access tokens but looking to strengthen your platform security? Discover how refresh tokens can balance user experience with data protection and security.

How to use refresh tokens

Link to this section

Providing top notch security while delivering an excellent user experience is essential for every platform and app building business. It can be irritating to sign in several times just to access the basic tools you need to do your job.

That’s where refresh tokens come in. Refresh tokens strike a balance between keeping your platform secure from data breaches and compromises while ensuring your customers are getting an excellent user experience.

But, you need to ensure you’re using refresh tokens safely by having strategies and safeguards in place to protect yourself and your customers. Luckily, there are plenty of measures you can take to use refresh tokens securely without compromising a seamless user experience.

What is an access token?

Link to this section

An access token is a piece of code that contains information about the user, timeframes, groups, and permissions which move from a server to a user’s device. Access tokens give permission to a particular application to access an API.

Many websites use access tokens, which vary from website to website. For example: Google Calendar needs permission to access the calendar’s API to create and schedule events through an access token.

Access tokens generally contain three parts that are used to verify a user has permission to access a particular resource including:

  1. Header: gives information about how to validate the token and information about the type of token.
  2. Payload: provides information about the user and application that is requesting access to the service.
  3. Signature: contains the verification data used to validate and authenticate the token.

Access tokens work by communicating between the server and a device where users follow these simple steps:

  • Sign in: verify your identity by entering your username and password.
  • Verify: the server verifies the data and provides a token.
  • Store: the token is sent to your browser.
  • Communicate: the token is verified each time you access something new on the server.
  • Delete: the token is deleted once your session has ended.

Types of access tokens

Link to this section

There are a few different types of access tokens, from JWT access tokens to API management tokens.

Opaque access tokens

Link to this section

Opaque tokens are access tokens that give users unique characters from the authentication server. An opaque token doesn’t contain identifiable information and the token itself has no meaning to the user.

To validate an opaque token the user needs to call the server that’s provided with the token. Opaque tokens are exclusively used to access resources from a particular server and serve no other useful purpose.

JWT access tokens

Link to this section

JSON Web Token (JWT) is an open standard that defines a compact and self-contained manner for securely communicating information between parties.

JWT access tokens are compact because of their size, meaning their transmission is quick. They are also self-contained because the payload includes all the information about the particular user without having to ask the database multiple times.

Management API access tokens

Link to this section

Management API access tokens are a type of sign in authentication that allows a computer to access multiple third-party applications and diverts two-step verification.

Essentially, management API access tokens reduce the need for data entry and manual transcription, and you avoid signing in and out of different platforms over and over again.

API token management automates and improves workflow for teams working across multiple applications, therefore, teams can share a unified environment.

What is a refresh token?

Link to this section

A refresh token is a special token used to unlock more access tokens. Access tokens are only valid for a short period of time. When they expire, a refresh token can give the user continued access without having to sign in again.

When authentication servers provide an access token to a user it also provides a valid refresh token which is then used to authenticate users after the access token has expired. Access tokens have short lifespans on purpose because the longer an access token is valid the more likely it can be compromised.

Refresh tokens improve the user experience without compromising any security and don’t give users additional access beyond the original scope. Let’s say you’re constantly asked to sign in each time you want to use Netflix to watch TV. It would get pretty frustrating and weaken your user experience and you may even cancel your subscription and choose a competitor.

To combat this, applications use refresh tokens behind the scenes to allow users to go back to their previous Netflix session without having to constantly log in each time. Let’s dive into how refresh tokens work behind the scenes:

  • Sign in: the user signs into an application using their username and password.
  • Access a protected endpoint: the user gains access to a valid access token and the server makes a request on behalf of the user.
  • Use a refresh token to renew access: the access token will expire after a short period of time, so a request is sent to another endpoint to renew the access token.

If a user revokes access to their session the refresh token and the access token become invalid and a new request for an access token and a new refresh token.

The case for using refresh tokens

Link to this section

Refresh tokens maintain security while also delivering a great user experience. Access tokens are purposefully designed to be short-lived to avoid security compromises. This means if a token expires, the user will have to log in again to authenticate their identity, get a new token and start a new session.

Having to constantly re-authenticate leads to a poor user experience and a disruptive workflow. After all, no one wants to log in to Google 100 times a day to access their emails.

Using access tokens in combination with refresh tokens gives you the best of both worlds. Using them together protects against malicious attacks while still being able to re-authenticate users without asking them to constantly sign in each session. This creates a seamless user experience and can increase session duration for users.

How to use refresh tokens securely

Link to this section

You need a good strategy to use refresh tokens, to prevent leaks and data compromises.

Rotate refresh tokens

Link to this section

Refresh token rotation provides applications and platforms with better security measures by decreasing their lifetime. This lowers the chance that a hacker can access a valid token, particularly for single-page applications (SPAs) and browser-based applications.

Since refresh tokens are long-lived tokens they aren’t typically recommended for SPAs because it’s hard to be certain they are only used by the intended application. Rotating refresh tokens invalidates old refresh tokens at the same time as issuing new ones.

Store refresh tokens securely

Link to this section

Depending on your application, you’ll need to secure refresh tokens for future use until they expire. For native applications connected to APIs, refresh tokens can be stored in long-term storage like relational and non-relational databases.

Local storage and browser memory can be used to store refresh tokens for SPAs and browser-based applications. However, local storage does come with some downfalls, including opening yourself up for cross-site scripting attacks.

To ensure a higher level of security, storing tokens in server-side storage allows you to encrypt data at rest. This ensures that even if the storage mechanism is compromised the refresh tokens are safe and secure.

Detect refresh token reuse

Link to this section

Using a refresh token rotation safeguard in combination with a refresh token reuse detection strategy can help remove access to a compromised refresh token. This combination is important because refresh tokens give users unlimited access, meaning it’s impossible to differentiate between malicious users and legitimate users.

By using this strategy, the authentication server is flagged when a user requests a token using an already-used token and an invalidated refresh token. The server then invalidates all the tokens which prevent unauthorized access to applications.

When it comes to authentication, access tokens are a powerful tool to streamline user experiences and strengthen platform security. But if you’re looking to safeguard your app, its best to incorporate refresh tokens to keep intruders out and authenticated users in.

See how Kinde compares to other authentication providers.

Get started now

Boost security, drive conversion and save money — in just a few minutes.