Listen to this Post
Access tokens and refresh tokens are fundamental components of modern application security. They ensure secure user authentication while maintaining a seamless experience.
Access Tokens
An access token is typically a Base64-encoded string (often in JWT format) containing:
– Header (algorithm & token type)
– Payload (user claims, expiration time)
– Signature (verification integrity)
Purpose: Grants temporary access to protected resources (e.g., APIs).
Validity: Short-lived (minutes to hours).
Refresh Tokens
A refresh token is a long-lived credential used to obtain a new access token without re-authentication.
– Does not grant direct access.
– Stored securely (HTTP-only cookies, secure storage).
– Prevents frequent login prompts.
You Should Know:
1. Decoding & Validating JWT Tokens (Linux/CLI)
Use `jq` and `base64` to decode a JWT manually:
echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" | awk -F '.' '{print $2}' | base64 --decode | jq
Output:
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}
2. Generating a New Access Token with cURL
curl -X POST https://api.example.com/auth/refresh \
-H "Authorization: Bearer YOUR_REFRESH_TOKEN" \
-d '{"grant_type":"refresh_token"}'
3. Securing Tokens in Web Apps
- HTTP-only Cookies: Prevent XSS attacks.
- Short Expiry for Access Tokens: Reduce exposure risk.
- Refresh Token Rotation: Invalidate old refresh tokens after use.
4. Checking Token Validity (Windows CMD)
Check JWT expiry (PowerShell) $token = "YOUR_JWT_TOKEN" $payload = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(($token -split '.')[bash])) | ConvertFrom-Json $expiry = [bash]::FromUnixTimeSeconds($payload.exp).DateTime Write-Host "Token expires at: $expiry"
5. Revoking Compromised Tokens
Linux: Use Redis to blacklist a token redis-cli SET "blacklist:YOUR_TOKEN" "revoked" EX 3600
What Undercode Say
Tokens are critical for balancing security and usability. Access tokens should be short-lived, while refresh tokens must be stored securely. Always:
– Rotate refresh tokens to prevent replay attacks.
– Use HTTPS to avoid token interception.
– Monitor token usage for anomalies.
For further reading:
Expected Output:
{
"access_token": "eyJhbGciOiJIUz...",
"refresh_token": "def50200ae...",
"expires_in": 3600
}
References:
Reported By: Pavledavitkovic What – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
