Token System
Understand how access tokens and refresh tokens work in Tzylo Auth CE.
Tzylo Auth CE uses a token-based authentication system to securely identify users and manage sessions.
Two types of tokens are used: access tokens and refresh tokens. Each has a distinct purpose and lifecycle.
Access Tokens
Access tokens are short-lived tokens used to authenticate API requests.
- Issued on successful login or token refresh
- Sent by clients in the
Authorizationheader - Used to access protected endpoints
Authorization: Bearer <ACCESS_TOKEN>Access tokens expire automatically and cannot be refreshed directly.
Refresh Tokens
Refresh tokens are long-lived tokens used to obtain new access tokens without requiring the user to log in again.
- Issued alongside access tokens
- Stored as HTTP-only cookies
- Not accessible from client-side JavaScript
This design reduces exposure to token theft via XSS attacks.
Token Lifecycle
- User logs in → access and refresh tokens are issued
- Access token expires → client requests a new one
- Refresh token validates the session
- New access token is returned
Token Expiration
Token expiration is configurable using environment variables:
ACCESS_TOKEN_EXPIRES_IN=15m
REFRESH_TOKEN_EXPIRES_IN=7dShort-lived access tokens reduce risk if a token is leaked.
Logout and Invalidation
When a user logs out:
- The refresh token is invalidated
- Existing access tokens naturally expire
- Further refresh attempts are rejected
This ensures that logged-out sessions cannot be reused.
What clients should store
- Store access tokens in memory (recommended)
- Do not store refresh tokens manually
- Rely on HTTP-only cookies for refresh tokens