We use tokens to authenticate users and authorize requests without keeping session data on the server. Tokens are data confirming a user’s identity and are analogous to digital signatures.
An access token (from an authorization server) allows temporary access to restricted resources such as APIs or websites. Generally, access tokens are valid for only a few minutes or hours, depending on the setting to safeguard the resource server.
Refresh tokens : In OAuth 2.0 authorization frameworks, refresh tokens allow developers to manage users’ sessions across native, web-based, and single-page apps. They allow users to log in and stay connected without providing their passwords for long periods. Further, they add a layer of security for sensitive data, improving the user experience.