Hey guys, I was looking over the documentation and I couldn't find this anywhere. What's the difference between a idRefreshToken and a refreshToken?
r
rp_st
08/17/2022, 4:18 AM
Hey! This is an implementation detail, but the difference is that the idRefreshToken is used by supertokens to know it a session exists when calling an api and the access token has expired (the browser doesn’t send an expired access token to the backend)
rp_st
08/17/2022, 4:19 AM
So if we did not have idRefreshToken, the backend wouldn’t know if the session exists or if just the access token has expired. To solve this, we would then have to send the refresh token on each api call which increases security risk.
rp_st
08/17/2022, 4:20 AM
So instead, we created a new token called idRefreshToken which is a random string that can be used to detect a session existing or not by the backend without exposing the refresh token on each api call.
SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).
