![[Node] Access & Refresh Token, Storing Refresh Token in Redis](https://cdn.hashnode.com/res/hashnode/image/upload/v1682146601872/711c23ed-7c72-492b-8a8c-a60877a16fde.png?w=1600&h=840&fit=crop&crop=entropy&auto=compress,format&format=webp)
Access Token
An access token is a credential used to access a protected resource, such as an API. It is typically a short-lived token that is issued by an authorization server after a user successfully authenticates and authorizes access to a resource.
An access token contains all the information necessary to authenticate a user on its own. Therefore, the longer one possesses the token, the greater the damage if it is compromised.
Even if we become aware that a token has been compromised, we cannot determine whether it is the stolen token or intentionally expire it. Therefore, we must always assume that a user's token can be compromised and develop in a way that minimizes damage.
Refresh Token
A refresh token is a long-lived credential that is used to obtain a new access token after the original access token has expired.
The refresh token is used only for the purpose of obtaining an access token for a specific user, unlike an access token that manages all the authentication information of the user. The refresh token's user authentication information is stored and managed by the server in a storage or separate database, not by the user. Therefore, if a specific token needs to expire on the server, the stored token can be removed, allowing the server to control the user's authentication status at any time.
Why We Use Both Tokens?
When a user logs in, they are typically issued both an access token and a refresh token. The access token is used for short-term access, while the refresh token is used to obtain a new access token when the original token expires.
We use tokens issued to users to minimize the damage in case they are compromised. Similar to the OTP we use in the real world, we make the authentication information available for a short period of time only and periodically reissue it. By doing so, even if the token is leaked, the damage is minimized because it can only be used for a short period of time.
Assuming that the token can be compromised at any time and that it is difficult to prevent the compromise, we will minimize the damage by shortening the period during which the compromised token can be used.