Soren Learning

Chapter 5

Access & Refresh Tokens — Balancing UX and Security

SecurityJWTWebDevSystemDesignBestPractices
Listen to this article

I. Access Tokens: The Short-Lived Resource Key

In a stateless architecture, the Access Token (typically a JWT) is your digital passport. It is sent with every HTTP request to prove the client has permission to perform specific actions.

  • Lifespan: Deliberately short-lived (15 to 90 minutes).
  • The Goal: By compressing the timeframe, we minimize the "window of opportunity" for an attacker.
  • Threat Model: These are Bearer Tokens. Whoever possesses the token has the power. Since they bypass MFA after issuance, a stolen token is an immediate threat. However, the brief exposure window makes a successful attack much harder to sustain without being detected.

II. Refresh Tokens: The Persistent Access Mechanism

To prevent users from having to log in every 15 minutes, we use Refresh Tokens. Their sole purpose is to obtain a new Access Token once the current one expires.

  • Lifespan: Long-lived (days, weeks, or even months).
  • The Danger: A stolen Refresh Token is a "Senior-level" threat. Unlike an Access Token, it grants the attacker Time. They can stay in your system for weeks, pacing their data exfiltration to remain indistinguishable from normal user behavior.

III. Optimal Storage Strategy: Defense in Depth

As a Senior Product Builder, your storage choice determines your vulnerability to XSS and CSRF.

  1. Access Tokens (In-Memory): Store these as a simple variable in your frontend state (e.g., React context). Avoid localStorage at all costs; it is a gold mine for XSS attacks.
  2. Refresh Tokens (HTTP-only Cookies): Store these in a cookie with httpOnly, Secure, and SameSite=Strict flags. This creates a wall that malicious JavaScript cannot cross, effectively mitigating XSS risks.

IV. Refresh Token Rotation (RFC 9700)

This is the gold standard for modern Single Page Applications (SPAs). Every time a user swaps a Refresh Token for a new Access Token, the server issues a new Refresh Token and invalidates the old one.

Why Rotation is Crucial:

  • Automatic Reuse Detection: It creates a "chain" of tokens. If an attacker steals a token and uses it, that token is marked as "consumed."
  • Token Family Revocation: If the legitimate user later tries to use that same "consumed" token, the server detects a breach. It immediately kills the entire token family, forcing a full re-authentication for everyone. This effectively "kicks out" the attacker.

V. Summary: The Product Builder's Implementation Checklist

Feature Access Token Refresh Token
Storage Memory (JS Variable) HTTP-only Cookie
Lifespan 15 - 90 Minutes 7 - 30 Days
Rotation N/A Every use (RFC 9700)
Threat Immediate, but brief Persistent and stealthy

Conclusion

Mastering the dance between Access and Refresh tokens is about managing the Exposure Window. By implementing Refresh Token Rotation and secure storage patterns, you ensure that even if a token is leaked, your system has the "reflexes" to detect the anomaly and protect the user's data.