What is Token Refresh?
Turkish: Token Yenileme
Token refresh obtains a new short-lived access token with a refresh token, keeping sessions active without asking users to log in again.
What is Token Refresh?
Token refresh is an authentication flow that keeps a user’s session active without asking for the password again. A short-lived access token is usually used for API calls, while a longer-lived refresh token is stored only to obtain a new access token.
How Does It Work?
A typical flow looks like this:
- The user logs in and the server issues an access token and refresh token.
- The application sends the access token with API requests.
- When the access token expires, the client calls the refresh endpoint.
- If the refresh token is valid, a new access token is issued, often with a new refresh token.
In systems using JWT, access tokens are kept short-lived. In OAuth2 flows, refresh token permissions are limited by scope and client type.
Security Considerations
If a refresh token is stolen, an attacker may be able to mint new access tokens for a long time. Token rotation, reuse detection, device-level session records, and revocation are therefore important. Web applications often use HttpOnly, Secure, SameSite cookies; mobile apps should prefer secure storage provided by the operating system.