In this blog, I am going to describe Access Token and Refresh Token in Web API. As a security mechanism in Web APIs, we use different types of authentication methods, like token-based authentication and basic authentication, etc. Now, I will describe the token-based authentication in Web API. In token-based authentication, we use a token for authentication and authorization. Here, we have two types of tokens - Access Token and Refresh Token. I will explain about these two tokens in brief.
Access Token
While using an access token, first, the client sends a request to the authentication server and then, the authentication server identifies if the request is valid or not. If the request is valid, then the server responds Access Token, else its response is "Invalid Request" error. After that, the client gets Access Token and again, sends this Access Token to the resource server and Resource Server responds with resources to the client.
Refresh Token
Refresh Token is used to retrieve the Access Token. Access Token gets expired after some time. Instead of sending a Request, we use Refresh Token for security purpose. For example, we send a username and password for accessing the token. If we send the username and password with every request, there is a big chance of these getting hacked. Well, this is not secure. So, we send Refresh Token. We can save a Refresh Token in our local storage or database. Then, we can use Refresh Token every time the Access Token is expired.