Published: February 06 2023

JWT with Refresh Tokens vs JWT Access Tokens Alone for Auth

Below is a brief explanation of the differences between using JWT alone vs JWT with Refresh Tokens, and links to a few tutorials on how to implement each approach.


What's a JWT access token?

A JWT (JSON Web Token) is a digitally signed JSON object that can't be tampered with after it is generated. It is commonly used as an access token to implement authentication and authorization between client apps and APIs. For example a JWT is returned from an API to a client app on successful login, then the JWT is used to access secure resources on the API.

JWT access tokens contain a set of claims which are simple key/value pairs in the JSON object such as the authenticated user id (e.g. "id": 123). Token expiration is controlled using the standard JWT claim exp.


What's the point of refresh tokens?

Refresh tokens are used to request new JWT access tokens from the server/API. The benefit of using refresh tokens over JWT alone is increased security because it allows you to use short-lived JWT tokens for authentication. JWTs are usually self contained tokens that cannot be revoked and are valid until they expire, so having a long-lived JWT poses a greater security risk if a token is compromised.

Refresh tokens are less likely to be compromised, they can be stored in HTTP Only cookies that are not accessible to client-side javascript which prevents XSS (cross site scripting). Refresh tokens are only sent with requests to generate new JWT tokens, they cannot access other secure routes which prevents them from being used in CSRF (cross site request forgery). Refresh tokens are revokable, if one is compromised it can be revoked on the server so it cannot generate any more JWTs.

Authentication Flow with JWT and Refresh Tokens

  1. User enters their credentials in the Client App.
  2. API verifies credentials and returns a short-lived JWT and Refresh Token to the Client App.
  3. Client App uses the JWT to make secure requests to the API (You're logged in!).
  4. Before the current JWT expires, Client App requests a new JWT from the API with the Refresh Token.
  5. API verifies the Refresh Token and returns a new short-lived JWT to the Client App.

JWT with Refresh Token Tutorials

Client App:

Server API:


Why use JWT access tokens without refresh tokens?

The benefit of using JWT alone is simpler code and less complexity for the trade-off of using long-lived JWTs. The approach you choose depends on your use case and requirements.

Authentication Flow with JWT Access Tokens

  1. User enters their credentials in the Client App.
  2. API verifies credentials and returns a long-lived JWT to the Client App.
  3. Client App uses the JWT to make secure requests to the API (You're logged in!).

JWT Tutorials

Client App:

Server API:

 


Need Some JWT Help?

Search fiverr for freelance JWT developers.


Follow me for updates

On Twitter or RSS.


When I'm not coding...

Me and Tina are on a motorcycle adventure around Australia.
Come along for the ride!


Comments


Supported by