Concept Flow - Refresh token concept

User logs in

↓

Server issues Access Token + Refresh Token

↓

User uses Access Token to access resources

↓

Access Token expires?

No→Continue Access

Yes↓

User sends Refresh Token to server

↓

Server verifies Refresh Token

↓

If valid, server issues new Access Token

↓

User continues with new Access Token

↓

If Refresh Token invalid, user must log in again

This flow shows how a user gets tokens, uses the access token until it expires, then uses the refresh token to get a new access token without logging in again.

Execution Sample

Express

app.post('/token', (req, res) => {
  const refreshToken = req.body.token;
  if (!refreshToken) return res.sendStatus(401);
  if (!refreshTokens.includes(refreshToken)) return res.sendStatus(403);
  jwt.verify(refreshToken, REFRESH_SECRET, (err, user) => {
    if (err) return res.sendStatus(403);
    const accessToken = generateAccessToken({ name: user.name });
    res.json({ accessToken });
  });
});

This Express route receives a refresh token, verifies it, and if valid, sends back a new access token.

Execution Table

Step	Action	Input	Check/Condition	Result/Output
1	Receive POST /token request	{ token: 'refreshToken123' }	Is token present?	Yes, proceed
2	Check if refresh token is in store	'refreshToken123' in refreshTokens?	Yes	Proceed to verify
3	Verify refresh token signature	jwt.verify(refreshToken123)	Valid?	Yes, decoded user info
4	Generate new access token	User info from token	N/A	New access token created
5	Send response	{ accessToken: 'newAccessToken456' }	N/A	Client receives new access token
6	If token missing or invalid	N/A	No or invalid token	Send 401 or 403 status

💡 Stops when refresh token is missing or invalid, or after sending new access token.

Variable Tracker

Variable	Start	After Step 1	After Step 2	After Step 3	After Step 4	Final
refreshToken	undefined	'refreshToken123'	'refreshToken123'	'refreshToken123'	'refreshToken123'	undefined
refreshTokens	['refreshToken123']	['refreshToken123']	['refreshToken123']	['refreshToken123']	['refreshToken123']	['refreshToken123']
user	undefined	undefined	undefined	{ name: 'Alice' }	{ name: 'Alice' }	undefined
accessToken	undefined	undefined	undefined	undefined	'newAccessToken456'	'newAccessToken456'

Key Moments - 3 Insights

Why do we check if the refresh token is in the store before verifying it?

What happens if the refresh token is expired or tampered with?

Why do we send a new access token but not a new refresh token?

Visual Quiz - 3 Questions

Test your understanding

Look at the execution_table, what is the result at step 3 when jwt.verify fails?

AA new access token is generated

BThe refresh token is added to the store

CThe server sends status 403

DThe user is logged out automatically

Concept Snapshot

Refresh Token Concept in Express:
- User logs in and gets Access + Refresh Tokens
- Access Token used for resource access, expires quickly
- When expired, client sends Refresh Token to /token endpoint
- Server verifies Refresh Token and issues new Access Token
- Refresh Token stored server-side to allow revocation
- If Refresh Token invalid or missing, user must log in again

Full Transcript

This visual execution trace shows how refresh tokens work in an Express app. When a user logs in, the server sends both an access token and a refresh token. The user uses the access token to access protected resources. When the access token expires, the user sends the refresh token to the server's /token route. The server first checks if the refresh token is present and stored in the server's list. Then it verifies the token's signature. If valid, the server generates a new access token and sends it back. If the refresh token is missing, invalid, or expired, the server responds with an error status, forcing the user to log in again. This flow helps keep users logged in securely without asking for credentials repeatedly.