Why use access token and refresh token with rotation

Asked Oct 12 '21 at 20:47

Active Oct 12 '21 at 20:47

Viewed 359 times

In general, I know the basics of how the access token and refresh token works in the case of a SPA. However, something is not entirely clear.

Some new recommendation says that an access token should expire in 1-5 minutes and every time I request a new access token also a new refresh token should be generated. It means in practice, that almost every API call will trigger a token refresh. New access token and new refresh token.

Then why do I need 2 tokens?

asked Oct 12 '21 at 20:47

Vmxes

2,329
2
19
34

Specifically see this : https://stackoverflow.com/questions/3487991/why-does-oauth-v2-have-both-access-and-refresh-tokens/57503520#57503520 and fwiw 1-5 minutes for access token is super short. It's usually 1hr or more. – mfaani Oct 12 '21 at 20:49
Does this answer your question? [Why Does OAuth v2 Have Both Access and Refresh Tokens?](https://stackoverflow.com/questions/3487991/why-does-oauth-v2-have-both-access-and-refresh-tokens) – mfaani Oct 12 '21 at 20:50

Why use access token and refresh token with rotation

0 Answers0