3

Like the title says, I'm having trouble understanding refresh tokens. How should I make them? the same way as an access token with the package 'jsonwebtoken'? or a different package? if the same package, what do I store in them? the same thing I store in my access token? and should I store my refresh token the same place where I store my access token? How does refresh token make jwt more secure?

I can't find clear answers in the internet since most online tutorials focus more on the access tokens or how secure jwt is without properly explaining refresh tokens. I'm using express by the way.

Lance Pidor
  • 119
  • 7
  • Does these answer your question: https://stackoverflow.com/questions/38986005/what-is-the-purpose-of-a-refresh-token and https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/ – Abrar Hossain Dec 19 '21 at 10:45

1 Answers1

3

Yes, the refresh tokens work the same as access tokens, they use the same technologies.
A refresh token is a special kind of token used to obtain a renewed access token , the refresh token never expires.

-refresh token is a way to communicate with the Authorization server
-access token is a way to communicate with the Resource server

Check this graph may help you understand the flow : enter image description here

Brahim Bessrour
  • 121
  • 7
  • If they use the same tech what do I put as a payload in a refresh token? the same payload in my access token? And if I send a refresh token to get a new access token, do I send a new refresh token as well? – Lance Pidor Dec 19 '21 at 15:02