Refresh token — a long-lived token (weeks/months) the client uses to obtain new short-lived access tokens without re-authenticating. Typical flow: access_token lives 15 min, refresh_token 30 days. When access expires, the client POSTs the refresh to the token endpoint → gets a new access. Critical: keep refresh in secure storage (httpOnly cookie, not localStorage).
Below: details, example, related terms, FAQ.
Free online tool — website security scanner: instant results, no signup.
POST /oauth/token
grant_type=refresh_token
refresh_token=XXX
client_id=Y
→ { access_token: "...", refresh_token: "NEW", expires_in: 900 }Refresh tokens are a crucial component of the OAuth 2.0 authorization framework, designed to enhance security and user experience. In the OAuth 2.0 flow, after a user successfully authenticates, they receive both an access token and a refresh token. The access token is typically short-lived, while the refresh token has a longer lifespan, allowing the client to request new access tokens without requiring user re-authentication.
The workflow is as follows:
This flow minimizes the need for users to log in frequently, thus enhancing user experience while maintaining security through the limited lifespan of access tokens.
Secure storage of refresh tokens is critical to maintaining the integrity of user sessions and protecting against unauthorized access. Here are some best practices for storing refresh tokens:
Secure to prevent transmission over unencrypted connections.By adhering to these practices, developers can significantly enhance the security surrounding refresh tokens, thus protecting both user data and application integrity.
Implementing refresh tokens in your application involves several steps, from generating tokens to using them for access. Below is a practical example using a hypothetical API endpoint.
1. Requesting Tokens: After the user successfully logs in, you can request access and refresh tokens:
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=user@example.com&password=yourpassword2. Response: The server responds with an access token and a refresh token:
{
"access_token": "abc123",
"refresh_token": "xyz456",
"expires_in": 900
}3. Using the Access Token: Use the access token to access protected resources:
GET /api/protected-resource
Authorization: Bearer abc1234. Refreshing the Access Token: When the access token expires, use the refresh token to obtain a new access token:
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=xyz4565. New Access Token Response: The server issues a new access token:
{
"access_token": "def789",
"expires_in": 900
}By following this example, developers can effectively manage user sessions without requiring frequent logins, leveraging the power of refresh tokens in their applications.
The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.
Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.
TLS version, certificate expiry, chain of trust, HSTS support.
Finding exposed server versions, debug modes, open configs, and directories.
Detailed report explaining each issue with specific steps to fix it.
HTTP header audit
config verification
CSP & HSTS setup
compliance checks
Strict-Transport-Security.Server: Apache/2.4.52 helps attackers find exploits. Hide the version.DENY or SAMEORIGIN.nosniff, browsers may misinterpret file types (MIME sniffing).Content-Security-Policy-Report-Only, monitor violations, then enforce.Server, X-Powered-By, X-AspNet-Version from responses.Security check history and HTTP security header monitoring.
Sign up freeServer-side: session/database. Client-side: httpOnly + Secure + SameSite=Strict cookie. Never localStorage — XSS risk.
Revoke all refresh tokens for the user via <code>DELETE /tokens WHERE user_id=X</code>. User must relogin.
Best practice. Especially for SPAs. OAuth 2.1 draft mandates rotation.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.