How to generate a refresh token?


I am implementing JWT in one of my node apps. I am wondering, if there is any definite format/ structure in which a refresh token should be generated?

By definite format I mean whether a refresh token contain any claims like a JWT?


Let’s assume a refresh token to be: fdb8fdbecf1d03ce5e6125c067733c0d51de209c (taken from Auth0). Now, what am I supposed to understand from this?

  • Is this a random unique string?
  • Is this an encrypted string which has claims inside?


Short answer

  • A refresh-token is just a random string.
  • All the user-related information including claims go in access-tokens


You should keep something like this:

  _id: [refreshTokenId],
  value: 'fdb8fdbecf1d03ce5e6125c067733c0d51de209c',
  userId: [userId],
  expires: [some date],
  createdByIp: [some ip],
  createdAt: [some date],
  replacedBy: [anotherRefreshTokenId],
  revokedByIp: [some other ip],
  revokedBy: [some other date],

Refresh tokens are random strings generated by the authentication server. They are generated after successful authentication (for example, if the username and password of the user are valid).

Their sole purpose is to remove the need to exchange user credentials repeatedly. They are different from access-tokens.
An access-token usually has information about the user (like name, claims). These are usually short-lived. JWT is one example.

To get a JWT the app has to verify the credentials.
To add additional security, and to stop bothering the user for username and password every 15 mins, we just create a signature on the server-side and forward it to the app.
Next time, whenever the app needs to create a JWT, it can just send the signature back to the server. This signature is your refresh token.
Refresh tokens are also supposed to be saved somewhere.
So you would probably create a table/collection in your database, linking the refresh-token values with userIds and ip_address.
This is how you could create a session management panel for the user. The user can then view all the devices (ip_addresses) for which we have registered a refreshtoken.

Answered By – Akshay Kumar

Answer Checked By – Terry (AngularFixing Volunteer)

Leave a Reply

Your email address will not be published.