What is Token Refresh?

Turkish: Token Yenileme

Token refresh obtains a new short-lived access token with a refresh token, keeping sessions active without asking users to log in again.

What is Token Refresh?

Token refresh is an authentication flow that keeps a user’s session active without asking for the password again. A short-lived access token is usually used for API calls, while a longer-lived refresh token is stored only to obtain a new access token.

How Does It Work?

A typical flow looks like this:

  1. The user logs in and the server issues an access token and refresh token.
  2. The application sends the access token with API requests.
  3. When the access token expires, the client calls the refresh endpoint.
  4. If the refresh token is valid, a new access token is issued, often with a new refresh token.

In systems using JWT, access tokens are kept short-lived. In OAuth2 flows, refresh token permissions are limited by scope and client type.

Security Considerations

If a refresh token is stolen, an attacker may be able to mint new access tokens for a long time. Token rotation, reuse detection, device-level session records, and revocation are therefore important. Web applications often use HttpOnly, Secure, SameSite cookies; mobile apps should prefer secure storage provided by the operating system.