What is Token?

Tokens are pieces of data that carry just enough information about the users. That allow systems application to perform Authorization and Authentication process.

What's an access token?

When a user logins in, the authorization server issues an access token, which is an artifact ("artifact" typically refers to a file or set of files that are produced as a result of a build or compilation process) that client applications can use to make secure calls to an API server. When a client application needs to access protected resources on a server on behalf of a user, the access token lets the client signal to the server that it has received authorization by the user to perform certain tasks or access certain resources.

It's important to highlight that the access token is a bearer token. Those who hold the token can use it.

Access token stored in client browser in cookies. It only valid for a short time defined in terms of hours or days.

What's a refresh token?

As mentioned, for security purposes, access tokens may be valid for a short amount of time. Once they expire, client applications can use a refresh token to "refresh" the access token. That is, a refresh token is a credential artifact that lets a client application get new access tokens without having to ask the user to log in again. The client application can get a new access token as long as the refresh token is valid and unexpired.

Refresh token stored in the database. A refresh token that has a very long lifespan could theoretically give infinite power to the token bearer to get a new access token to access protected resources anytime.

Until and unless refresh token exist users no need to redirect to login. But after refresh token expired users need to login and to access protected routes users have provided access token.

The key difference between refresh and access token is refresh token used as users authentication but access token is used as users authorization to access any protected routes.