0
0
Rest APIprogramming~10 mins

Token refresh mechanism in Rest API - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Concept Flow - Token refresh mechanism
Client sends login request
Server validates credentials
Server issues Access Token + Refresh Token
Client uses Access Token for API calls
Access Token expires?
NoContinue using API
Yes
Client sends Refresh Token to server
Server validates Refresh Token
Server issues new Access Token (and optionally new Refresh Token)
Client uses new Access Token
Repeat cycle
This flow shows how a client uses a refresh token to get a new access token when the old one expires, keeping the session alive without re-login.
Execution Sample
Rest API
POST /login
Response: {"access_token": "abc", "refresh_token": "xyz"}

Use access_token for API calls

If access_token expired:
POST /refresh with refresh_token
Response: {"access_token": "new_abc"}
Client logs in, receives tokens, uses access token, and refreshes it when expired using refresh token.
Execution Table
StepActionInputServer ResponseClient State
1Client sends login requestusername/passwordValid credentialsNo tokens
2Server issues tokens-{"access_token": "abc", "refresh_token": "xyz"}Received tokens
3Client calls API with access_tokenaccess_token='abc'200 OKAccess token valid
4Access token expiresTime passes401 UnauthorizedAccess token expired
5Client sends refresh requestrefresh_token='xyz'Valid refresh tokenRefresh token valid
6Server issues new access token-{"access_token": "new_abc"}Updated access token
7Client calls API with new access_tokenaccess_token='new_abc'200 OKAccess token valid
8Refresh token invalid or expiredrefresh_token='xyz'401 UnauthorizedMust re-login
9Client logs in againusername/passwordValid credentialsNo tokens
10Server issues new tokens-{"access_token": "abc2", "refresh_token": "xyz2"}Received new tokens
💡 Process repeats until refresh token expires or is invalid, then user must log in again.
Variable Tracker
VariableStartAfter Step 2After Step 6After Step 10
access_tokenNone"abc""new_abc""abc2"
refresh_tokenNone"xyz""xyz""xyz2"
token_validityN/AValidValidValid
Key Moments - 3 Insights
Why does the client need to send the refresh token after the access token expires?
Because the access token is short-lived for security, the refresh token lets the client get a new access token without logging in again, as shown in steps 4 to 6 in the execution_table.
What happens if the refresh token is invalid or expired?
The server responds with 401 Unauthorized (step 8), forcing the client to log in again to get new tokens, as shown in steps 9 and 10.
Does the refresh token change every time a new access token is issued?
Not always. Sometimes the server issues a new refresh token with the new access token (step 10), but often it remains the same (step 6). This depends on server policy.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the client state after step 6?
AAccess token expired
BNo tokens
CUpdated access token
DMust re-login
💡 Hint
Check the 'Client State' column for step 6 in the execution_table.
At which step does the server respond with 401 Unauthorized due to expired access token?
AStep 3
BStep 4
CStep 5
DStep 8
💡 Hint
Look for '401 Unauthorized' in the 'Server Response' column in the execution_table.
If the refresh token expires, what must the client do next according to the execution flow?
ALog in again to get new tokens
BContinue using expired access token
CSend the same refresh token again
DIgnore tokens and call API
💡 Hint
Refer to steps 8 to 10 in the execution_table and client state changes.
Concept Snapshot
Token refresh mechanism:
- Client gets access + refresh tokens on login
- Access token used for API calls, short-lived
- When access token expires, client sends refresh token
- Server validates refresh token and issues new access token
- If refresh token invalid, client must log in again
- Keeps user logged in without frequent re-authentication
Full Transcript
The token refresh mechanism helps keep a user logged in securely. First, the client logs in and receives an access token and a refresh token. The access token is used to call APIs but expires quickly. When it expires, the client sends the refresh token to the server. The server checks if the refresh token is valid and then sends a new access token. This cycle repeats, allowing the client to stay logged in without asking the user to enter credentials again. If the refresh token expires or is invalid, the client must log in again to get new tokens. This process balances security and convenience.