0
0
Expressframework~5 mins

Refresh token concept in Express

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Introduction

A refresh token helps keep a user logged in without asking for their password again. It lets the app get a new access token when the old one expires.

When you want users to stay logged in for a long time without re-entering their password.
When your access tokens expire quickly for security reasons.
When you want to improve user experience by avoiding frequent logins.
When you want to safely manage user sessions in a web app.
When you want to separate short-lived access tokens from longer-lived refresh tokens.
Syntax
Express
POST /token
Headers: Authorization: Bearer <refresh_token>
Response: { accessToken: <new_access_token> }
The refresh token is usually sent securely in the request body or headers.
The server verifies the refresh token before issuing a new access token.
Examples
This example shows a simple route to accept a refresh token and respond with a new access token.
Express
app.post('/token', (req, res) => {
  const refreshToken = req.body.token;
  if (!refreshToken) return res.sendStatus(401);
  // Verify refresh token and issue new access token
});
This code verifies the refresh token and creates a new access token if valid.
Express
const jwt = require('jsonwebtoken');

jwt.verify(refreshToken, REFRESH_TOKEN_SECRET, (err, user) => {
  if (err) return res.sendStatus(403);
  const accessToken = jwt.sign({ name: user.name }, ACCESS_TOKEN_SECRET, { expiresIn: '15m' });
  res.json({ accessToken });
});
Sample Program

This Express app shows a simple login route that issues access and refresh tokens. The /token route accepts a refresh token and returns a new access token if the refresh token is valid and stored.

Express
import express from 'express';
import jwt from 'jsonwebtoken';

const app = express();
app.use(express.json());

const ACCESS_TOKEN_SECRET = 'access-secret-example';
const REFRESH_TOKEN_SECRET = 'refresh-secret-example';

let refreshTokens = [];

app.post('/login', (req, res) => {
  // In real app, validate user credentials here
  const user = { name: req.body.name };
  const accessToken = jwt.sign(user, ACCESS_TOKEN_SECRET, { expiresIn: '15m' });
  const refreshToken = jwt.sign(user, REFRESH_TOKEN_SECRET);
  refreshTokens.push(refreshToken);
  res.json({ accessToken, refreshToken });
});

app.post('/token', (req, res) => {
  const refreshToken = req.body.token;
  if (!refreshToken) return res.sendStatus(401);
  if (!refreshTokens.includes(refreshToken)) return res.sendStatus(403);

  jwt.verify(refreshToken, REFRESH_TOKEN_SECRET, (err, user) => {
    if (err) return res.sendStatus(403);
    const accessToken = jwt.sign({ name: user.name }, ACCESS_TOKEN_SECRET, { expiresIn: '15m' });
    res.json({ accessToken });
  });
});

app.listen(3000, () => console.log('Server running on port 3000'));
OutputSuccess
Important Notes

Always store refresh tokens securely, for example in an HttpOnly cookie.

Refresh tokens should be long-lived but revocable if needed.

Access tokens are short-lived to reduce risk if stolen.

Summary

Refresh tokens let apps get new access tokens without asking users to log in again.

They improve security by keeping access tokens short-lived.

Use refresh tokens carefully and store them securely.