Refresh Tokens

Node js 10 min min read Updated: Mar 30, 2026 Advanced
Progress 8 / 10
📑 Table of Contents
Basics
Express & APIs
Database & Authentication
Advanced & Scaling
DevOps & Deployment
🎓 Want Live Training?

Join our expert-led Node js Training live classes

Enroll Now
Refresh Tokens
Advanced Topic 8 of 10

Refresh Tokens in Node.js Authentication

In modern authentication systems, access tokens are usually given a short lifetime for security reasons. This helps reduce risk if a token is stolen, but it also creates a challenge: users would have to log in again very frequently.

Refresh tokens solve this problem. They allow the server to issue a new access token without forcing the user to log in again every time the old access token expires.

Key Concept: Refresh tokens are long-lived tokens used to generate new short-lived access tokens securely.

What is a Refresh Token?

A refresh token is a special token issued during login along with an access token. The access token is used to access protected APIs, while the refresh token is used only to request a new access token when the old one expires.

This creates a more secure system because access tokens can remain short-lived, while the refresh token helps maintain the user session.

Why Refresh Tokens Are Important

  • Better security: Access tokens can expire quickly
  • Improved user experience: Users do not need to log in repeatedly
  • Session continuity: Long-lived sessions can be maintained safely
  • Scalable authentication: Commonly used in APIs, mobile apps, and modern web apps

Access Token vs Refresh Token

Feature Access Token Refresh Token
Purpose Access protected APIs Generate new access token
Lifetime Short Long
Usage Frequency Frequent Occasional
Storage Client side Usually secure storage or HTTP-only cookie

How Refresh Tokens Work

  1. User logs in with email and password
  2. Server verifies credentials
  3. Server generates both access token and refresh token
  4. Client uses access token to call protected APIs
  5. When access token expires, client sends refresh token to the server
  6. Server verifies refresh token and issues a new access token

Generating Access and Refresh Tokens

In Node.js, refresh tokens are often implemented using the jsonwebtoken package.

javascript const jwt = require("jsonwebtoken"); const accessToken = jwt.sign( { userId: 1, email: "rahul@example.com" }, "access_secret", { expiresIn: "15m" } ); const refreshToken = jwt.sign( { userId: 1, email: "rahul@example.com" }, "refresh_secret", { expiresIn: "7d" } ); console.log(accessToken); console.log(refreshToken);

In this example:

  • The access token expires in 15 minutes
  • The refresh token expires in 7 days
  • Different secret keys are used for better security separation

Login API Example

During login, both tokens can be generated and returned:

javascript app.post("/login", async (req, res) => { const user = { id: 1, email: "rahul@example.com" }; const accessToken = jwt.sign(user, "access_secret", { expiresIn: "15m" }); const refreshToken = jwt.sign(user, "refresh_secret", { expiresIn: "7d" }); res.json({ accessToken, refreshToken }); });

Refreshing the Access Token

When the access token expires, the client can send the refresh token to a dedicated endpoint.

javascript app.post("/token", (req, res) => { const refreshToken = req.body.refreshToken; if (!refreshToken) { return res.status(401).json({ message: "Refresh token required" }); } jwt.verify(refreshToken, "refresh_secret", (err, user) => { if (err) { return res.status(403).json({ message: "Invalid refresh token" }); } const newAccessToken = jwt.sign( { userId: user.userId, email: user.email }, "access_secret", { expiresIn: "15m" } ); res.json({ accessToken: newAccessToken }); }); });

Why Access Tokens Should Be Short-Lived

If an attacker gets access to a valid access token, they may use it until it expires. Keeping access tokens short-lived reduces the time window for abuse.

Refresh tokens help balance security and usability by renewing access tokens only when needed.

Where to Store Refresh Tokens

Refresh tokens should be stored more securely than access tokens because they have a longer lifetime.

  • HTTP-only cookies: Common choice for web applications
  • Secure device storage: Common for mobile apps
  • Database-backed token store: Useful for revocation and tracking

In many production systems, refresh tokens are stored in the database so they can be revoked if needed.

Token Rotation

A stronger security approach is refresh token rotation. In this method, each time a refresh token is used, the server generates a new refresh token and invalidates the old one.

This reduces the risk of replay attacks and makes stolen refresh tokens less useful.

Logout with Refresh Tokens

Logout should not only remove the token from the client side, but also invalidate the refresh token on the server if you are storing it in the database.

javascript app.post("/logout", (req, res) => { const refreshToken = req.body.refreshToken; // Remove token from database or token store here res.json({ message: "Logged out successfully" }); });

Best Practices for Refresh Tokens

  • Use short expiry for access tokens
  • Use longer expiry for refresh tokens
  • Use different secrets for access and refresh tokens
  • Store refresh tokens securely
  • Consider refresh token rotation
  • Revoke refresh tokens on logout or suspicious activity
  • Use HTTPS in production

Common Mistakes

  • Using the same secret for all token types
  • Giving refresh tokens extremely long lifetimes without revocation
  • Storing refresh tokens insecurely in frontend code
  • Not validating refresh tokens properly
  • Not revoking refresh tokens after logout

Real-World Use Cases

  • Single-page applications with login sessions
  • Mobile app authentication
  • Secure API access with long-lived sessions
  • Enterprise authentication systems

Refresh Tokens vs Re-Login

Without refresh tokens, users must log in again whenever the access token expires. With refresh tokens, the session continues smoothly in the background as long as the refresh token remains valid.

This is why refresh tokens are widely used in modern authentication systems.

Conclusion

Refresh tokens are an important part of secure authentication design. They allow access tokens to stay short-lived while still giving users a smooth login experience.

When implemented correctly with secure storage, token rotation, and proper validation, refresh tokens make JWT-based authentication much more practical for real-world applications.

Quick Summary: Refresh tokens are used to generate new access tokens when short-lived access tokens expire, improving both security and user experience.
Password Hashing with bcrypt Role Based Authorization

Get Newsletter

Subscibe to our newsletter and we will notify you about the newest updates on Edugators

CONTACT

info.edugators@gmail.com

COMPANY

PROGRAMS

 

 

TRENDING COURSES

© 2020 - 2026 Edugators. All rights Reserved.