Refresh vs. Long-lived Access Tokens

last updated: Oct 20, 2023

https://grayduck.mn/2023/04/17/refresh-vs-long-lived-access-tokens/

One question which I frequently receive is:

Why would you want to use long-lived refresh tokens that generate short-lived access tokens as commonly seen in OAuth 2.0, versus long-lived access tokens? Aren’t you simply replacing one long-lived token with another?

There isn’t any one huge advantage that immediately stands out in favor of refresh tokens. Instead, there are a number of incremental improvements that add up towards making it the overall superior design.

Refresh token pros:

cons:

↑ up