Authentication is the first step every application must get right. Users expect sign in to be effortless while developers need the system to be secure, scalable and easy to maintain. OAuth based sign in combined with access and refresh tokens has become the standard, and for good reason. It removes the burden of password handling and provides a clean way to authorize API access.
This guide walks through the entire flow in a clear and practical way.
Why OAuth
Instead of asking users to create yet another password, apps can rely on trusted identity providers such as Google, Apple or Microsoft. These providers verify the user and return a token representing that authenticated identity. Your app only needs to confirm this token and establish its own session.
This approach offers three major benefits:
- Users sign in faster
- Apps never handle passwords
- Sign in becomes more secure thanks to established identity systems
Step 1. User Signs In with an OAuth Provider
The process begins when the user selects an OAuth sign in option.
- The frontend opens the provider's authentication page.
- Once the user completes sign in, the provider returns a token to the frontend.
- The frontend forwards this token to your backend.
This token proves the user is authenticated by the provider. The frontend does not interpret it. It simply passes it along to the backend.
Step 2. Backend Verifies the OAuth Token
Upon receiving the token, the backend performs several tasks:
- Validates the token with the provider to ensure authenticity.
- Extracts information such as email or provider ID.
- Creates or retrieves the user record in the application's database.
- Issues two tokens: Access token and Refresh token.
The access token is short lived and meant for API calls. The refresh token lasts longer and is used to obtain new access tokens when they expire.
Step 3. Frontend Stores Tokens and Starts an Authenticated Session
After receiving both tokens, the frontend:
- Stores them securely using storage suitable for the platform.
- Attaches the access token to every protected API call.
- Retains the refresh token for renewing the session later.
The user is now fully signed in and can interact with protected areas of the application.
Step 4. Access Token Usage
Whenever the frontend calls a protected endpoint, it includes the access token:
Authorization: Bearer <access_token>
The backend validates the token and processes the request. If the token is valid, the user gains access to the protected resource.
Step 5. Handling Token Expiration
Access tokens expire quickly for security reasons. When an API call returns an authentication error:
- The frontend sends the refresh token to a dedicated refresh endpoint.
- The backend validates the refresh token.
- If valid, the backend issues a new access token.
- The frontend retries the original request with the new token.
This flow ensures continuous access without forcing the user to sign in again.
Step 6. Refresh Token Rotation
For added security, many systems rotate refresh tokens. After the backend validates a refresh token, it:
- Issues a new access token.
- Issues a new refresh token.
- Invalidates the old refresh token.
This prevents replay attacks and limits the impact if a refresh token is compromised.
Step 7. Sign Out
When the user signs out:
- The frontend clears stored tokens.
- The backend invalidates the refresh token in the database.
This ensures the session cannot be resumed using old tokens.
Key Considerations
Token Storage
- Web apps: Use httpOnly cookies for refresh tokens to prevent XSS attacks. Store access tokens in memory.
- Mobile apps: Use secure storage mechanisms like Keychain (iOS) or Keystore (Android).
Token Lifetime
- Access tokens: 15 minutes to 1 hour
- Refresh tokens: Days to weeks depending on security requirements
Security Best Practices
- Always use HTTPS to prevent token interception
- Validate tokens on every request
- Implement rate limiting on authentication endpoints
- Monitor for suspicious activity like multiple refresh attempts
- Use token rotation to limit exposure
Summary
OAuth sign in with access and refresh tokens provides a secure and user-friendly authentication system. By delegating identity verification to trusted providers, applications reduce complexity while improving security. The token-based flow enables seamless API access and session management without exposing passwords or requiring frequent logins.
This architecture has become the standard for modern applications because it balances security, usability, and developer experience.