Skip to content

What is a Refresh Token

Key idea:

Refresh token — a long-lived token (weeks/months) the client uses to obtain new short-lived access tokens without re-authenticating. Typical flow: access_token lives 15 min, refresh_token 30 days. When access expires, the client POSTs the refresh to the token endpoint → gets a new access. Critical: keep refresh in secure storage (httpOnly cookie, not localStorage).

Below: details, example, related terms, FAQ.

Check your site's security →

Details

  • Access token: short-lived (5-15 min), sent on every request
  • Refresh token: long-lived (30+ days), only to token endpoint
  • Rotation: on refresh use, a new refresh is issued and old is revoked
  • Revocation list: Redis/DB with invalidated tokens
  • Grace period: 30 sec for race conditions on concurrent refreshes

Example

POST /oauth/token
  grant_type=refresh_token
  refresh_token=XXX
  client_id=Y
→ { access_token: "...", refresh_token: "NEW", expires_in: 900 }

Related Terms

How Refresh Tokens Work in OAuth 2.0

Refresh tokens are a crucial component of the OAuth 2.0 authorization framework, designed to enhance security and user experience. In the OAuth 2.0 flow, after a user successfully authenticates, they receive both an access token and a refresh token. The access token is typically short-lived, while the refresh token has a longer lifespan, allowing the client to request new access tokens without requiring user re-authentication.

The workflow is as follows:

  • The client application requests access by redirecting the user to the authorization server.
  • Upon successful authentication, the authorization server issues an access token and a refresh token.
  • The client uses the access token to access protected resources for a limited time.
  • Once the access token expires, the client sends a POST request to the token endpoint with the refresh token.
  • The authorization server validates the refresh token and issues a new access token, allowing seamless continuation of the session.

This flow minimizes the need for users to log in frequently, thus enhancing user experience while maintaining security through the limited lifespan of access tokens.

Best Practices for Storing Refresh Tokens

Secure storage of refresh tokens is critical to maintaining the integrity of user sessions and protecting against unauthorized access. Here are some best practices for storing refresh tokens:

  • Use httpOnly Cookies: Store refresh tokens in httpOnly cookies to prevent client-side scripts from accessing them. This mitigates risks from Cross-Site Scripting (XSS) attacks.
  • Avoid Local Storage: Do not store refresh tokens in localStorage or sessionStorage, as these are accessible via JavaScript and can be exploited by malicious scripts.
  • Implement Token Expiration: Set an expiration time for refresh tokens, ensuring that even if they are compromised, they will eventually become invalid.
  • Use Secure Attributes: When using cookies, ensure they are marked as Secure to prevent transmission over unencrypted connections.
  • Limit Scope and Permissions: Generate refresh tokens with the minimum necessary scope and permissions to reduce potential damage from a compromised token.

By adhering to these practices, developers can significantly enhance the security surrounding refresh tokens, thus protecting both user data and application integrity.

Practical Example of Refresh Token Usage

Implementing refresh tokens in your application involves several steps, from generating tokens to using them for access. Below is a practical example using a hypothetical API endpoint.

1. Requesting Tokens: After the user successfully logs in, you can request access and refresh tokens:

POST /oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=password&username=user@example.com&password=yourpassword

2. Response: The server responds with an access token and a refresh token:

{
"access_token": "abc123",
"refresh_token": "xyz456",
"expires_in": 900
}

3. Using the Access Token: Use the access token to access protected resources:

GET /api/protected-resource
Authorization: Bearer abc123

4. Refreshing the Access Token: When the access token expires, use the refresh token to obtain a new access token:

POST /oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&refresh_token=xyz456

5. New Access Token Response: The server issues a new access token:

{
"access_token": "def789",
"expires_in": 900
}

By following this example, developers can effectively manage user sessions without requiring frequent logins, leveraging the power of refresh tokens in their applications.

HeadersCSP, HSTS, X-Frame-Options, etc.
SSL/TLSEncryption and certificate
ConfigurationServer settings and leaks
Grade A-FOverall security score

Why teams trust us

OWASP
guidelines
15+
security headers
<2s
result
A–F
security grade

How it works

1

Enter site URL

2

Security headers analyzed

3

Get grade A–F

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Who uses this

Security teams

HTTP header audit

DevOps

config verification

Developers

CSP & HSTS setup

Auditors

compliance checks

Common Mistakes

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.
Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.
Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.
X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.
Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.
Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.
Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.
Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.
Check after every deploySecurity headers can be overwritten during server configuration updates.

Get more with a free account

Security check history and HTTP security header monitoring.

Sign up free

Learn more

Frequently Asked Questions

Where to store a refresh token?

Server-side: session/database. Client-side: httpOnly + Secure + SameSite=Strict cookie. Never localStorage — XSS risk.

What to do on suspected leak?

Revoke all refresh tokens for the user via <code>DELETE /tokens WHERE user_id=X</code>. User must relogin.

Refresh rotation — required?

Best practice. Especially for SPAs. OAuth 2.1 draft mandates rotation.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.