The plain-English version β no jargon. If you can picture a hotel, you already understand it.
A web app has a problem: after you log in, how does it remember it's you on every click β without asking for your password again, and without letting a thief pretend to be you?
Four characters. Each has a plain name and a real technical name.
Checks your ID once and hands out keycards. Also the only one who can look up who you are.
The API / auth serverYou show it once at check-in β your email + Microsoft/Google login or a magic link. Never shown again.
Login (OAuth / magic link)Opens doors for a short time (15 min). You carry it in your pocket. If lost, it expires fast.
Access token (JWT), in memoryKept in the hotel safe β you can't take it out or even see it. It's used behind the scenes to print you a fresh keycard.
Refresh token (HttpOnly cookie)You show your ID once. The front desk verifies it and prepares your stay.
You pocket the keycard (works 15 min). The renewal ticket goes straight into the hotel safe β you never touch it.
Every door you open, you tap the keycard. Fast, no password.
Authorization: Bearer <JWT>.Just before your keycard stops working, the system quietly walks to the safe, uses the renewal ticket, and prints you a fresh keycard β you don't notice a thing.
/auth/refresh; the old refresh token is swapped for a new one (rotation).Every renewal ticket works once. If two people ever show up with the same ticket, the front desk knows one is a thief and cancels the whole room immediately.
If you don't move for 30 minutes, a little notice pops up: βStill around? Staying?β β click Stay and you're good; ignore it and you're signed out.
No matter how many renewals, there's a hard checkout β after the max stay you check in again. Keeps a forgotten session from living forever.
The renewal ticket stays in the safe even after you close everything. Come back soon and you're waved right back in. Come back much later (say, the next morning) and you check in again β on purpose, because this app handles money.
The renewal ticket (refresh token) is locked in the browser where scripts can't reach it. Even a malicious script on the page can't steal it.
A lost keycard (JWT) only works 15 minutes β and it can't be turned into a lasting copy without the safe's ticket.
Single-use renewal + reuse detection means a copied session gets the whole chain revoked the moment it's replayed.
Everything is over HTTPS, and the ticket refuses to be sent along on requests coming from other websites.
| Plain name | Real term | What it does | |
|---|---|---|---|
| ποΈ | Front desk | API / auth server | Verifies identity, issues tokens |
| πͺͺ | Showing your ID | Login (OAuth / magic link) | Prove who you are β once |
| π³ | Keycard | Access token (JWT) | Opens doors for 15 min; kept in memory |
| ποΈ | Renewal ticket in the safe | Refresh token (HttpOnly cookie) | Prints fresh keycards; JS can't read it |
| π | Quiet keycard swap | Refresh rotation | New token every renewal |
| π΅οΈ | Same-ticket alarm | Reuse detection | Revokes the whole session if copied |
| π« | Anti-forgery stamp | CSRF nonce (SameSite) | Blocks other websites from acting as you |
| β° | βStill there?β | Idle timeout + warning | Signs out after inactivity |
| πͺπ | Checkout time | Absolute cap | Hard limit on how long a stay can last |