Software Engineering Stack Exchange is a question and answer site for professionals, academics, and students working within the systems development life cycle. It only takes a minute to sign up.
Sign up to join this community
Anybody can ask a question
Anybody can answer
The best answers are voted up and rise to the top
A good auth system contains access and refresh tokens. I know what access-tokens are for and I know what refresh tokens DO – but I dont understand their meaning.
If I auth myself successful to an API, then I get an access token and a refresh token. If a bad guy steals my access code, he can access the API maybe the next 5 minutes or so. But if he steals my refresh token which maybe expires in 6 months he can give himself everytime a new access-token and so he can stay longer in the system.
So what are the advantages of refresh token – i dont see them?