Skip to content
Author: Tianle Yuan




Auth points to Authentication and Authorization. They come from REST API communication.

  • Without Authentication → 401 (Do not know who you are).
  • Without Authorization → 403 (Do not have permission to access resources).


To realize the two Auth principles. Including Token becomes essential.

Why Token?

Compared with username & password, tokens are temporary, stored in browser or device. When sessions complete or exceed the expiration time, not like username & password, they are automatically destroyed.⚓︎ for Token generation is constructed by below components:

picture 10

How to use Token⚓︎

How to apply Token?

We inject tokens in the HTTP header.

OAuth 2.0⚓︎

Why need two Tokens?

It limits the blast radius of a credential attack.

Credential attack!
Username-Password Auth

picture 11

One Token Auth

picture 12

Two Token Auth (OAuth 2.0)

picture 13

Implement OAuth 2.0⚓︎

For the two tokens, one is named Access Token; another is named Refresh Token.

Difference between the two tokens?
  • Access token have "Time-to-live", which is the maximum that the access token will be valid for use within the application.

  • Refresh tokens have longer expiration times than access tokens. The exsistance of refresh tokens allows you to use shorter lifetimes for access tokens WITHOUT having to request user credentials multiple times.

Iterations Diagram

picture 14

picture 15

picture 16

picture 17

picture 18

Last update: February 27, 2023 00:42:01
Created: December 5, 2022 10:33:13