Anas Anjaria
Anas Anjaria's blog

Anas Anjaria's blog

Practical guide for Bearer Token Authentication and Authorization

Photo by James Harrison on Unsplash

Practical guide for Bearer Token Authentication and Authorization

Anas Anjaria's photo
Anas Anjaria
·Sep 2, 2022·

3 min read

Subscribe to my newsletter and never miss my upcoming articles

I got the opportunity to integrate bearer token authentication into our system. As I started working on this task, I did some research to understand the basic concepts and workflow.

I find it challenging to understand all the necessary details as the information is scattered on the internet.

This story documents all my research in one place to facilitate my audience.

Basic Concepts

Basic concepts — Access and refresh tokens
Figure 1 — Access and refresh token

Access token

An access token is a bearer token used to access protected resources (see Figure 1). However, a client obtains an access token by providing valid credentials.

For security reasons, an access token is short-lived.

I used 15 minutes lifespan for an access token.

Refresh token

A refresh token is not a bearer token but simply a random string. It means refresh tokens are not for accessing protected resources.

When an access token expires, a refresh token is used to obtain a new access token. Figure 1 above illustrates this concept.

Typically, a refresh token is long-lived.

I used a 1-week lifespan for a refresh token.

Basic Workflow

I followed this guide [1] for the basic workflow.

Bearer token authentication — basic workflow
Figure 2 — Bearer token authentication and authorization workflow
  1. The client requests an access token by providing valid credentials.
  2. Auth server authenticates the credentials and issues an access token & a refresh token.
  3. The client requests to access a protected resource by providing the access token.
  4. The resource server serves the request upon a valid access token.
  5. Steps (3) and (4) require a valid access token. If the client’s access token is expired, it skips to step (7); otherwise, it sends a request to access another protected resource.
  6. Since the access token has expired, the resource server forbids accessing protected resources and returns an invalid token error.
  7. The client requests a new access token by submitting the refresh token.
  8. Auth server validates the refresh token and issues a new access token & new refresh token.

Representation of access and refresh token

As mentioned before, a refresh token is simply a random string. However, an access token has a specific representation. As per RFC [1]

Access tokens can have different formats, structures, and methods of utilization (e.g., cryptographic properties) based on the resource server security requirements.

I used JSON Web Token (JWT) [2] format for an access token. As per this article [2]

a well-formed JWT consists of three concatenated Base64url-encoded strings, separated by dots (.)

Example JSON Web Token (JWT) generated online via


You can read more about this format here [2].

Why JWT format?

This JWT format allows us to validate an access token without DB lookup. It means

we don’t have to store the access token in our DB for validation purposes.

That’s the beauty of this format.

Libraries supporting JWT implementation

You may find plenty of libraries supporting JWT implementation, but I recommend using this library [3] if you use Scala. Reasons?

  • Good documentation
  • Actively contributed (commits: ~850, version: 9.x.x)

Security of refresh token

As refresh tokens are long-lived and are used to obtain an access token, it is crucial to keep them secure. To this end, refresh tokens are rotated [4].

So, every time a client exchanges a refresh token to get a new access token, a new refresh token is also returned (see Figure 1). It means:

the old refresh token is no longer valid and cannot be used to retrieve a new access token.

As refresh tokens are continually exchanged and invalidated, this reduces the threat of unauthorized access to our protected resources.

Furthermore, these refresh tokens are stored in the DB so that they can be revoked anytime (if needed).

Thanks for reading.

Originally written on medium






Want to connect?

Share this