It can sometimes be confusing to distinguish between different token types. They have different lifetimes and have different purposes. However, not all are available in all situations.

  • ID tokens carry identity information encoded in the token itself, which must be a JWT (JSON Web Token).

  • Access tokens are used to gain access to resources by using them as bearer tokens. Access tokens are used as bearer tokens. A bearer token means that the bearer can access authorized resources without further identification. Because of this, it’s important that bearer tokens are protected. If someone can get ahold of and “bear” your access token, they can masquerade as you. Lifetime of access tokens is usually one hour. While not mandatory by the standard in our case this token is also a JWT.

  • Refresh tokens exist solely to get more access tokens. It is not convenient to ask an end-user to enter their credentials every time the access tokens expire. On the other side, from security perspective, it should be possible to prevent access to someone without waiting weeks before their token expires. Refresh tokens are valid for multiple weeks and they can be revoked.


App storePlay store