Hacker News new | ask | show | jobs
by ortekk 2851 days ago
Then why not just use "refresh token" as a session token?
1 comments
pkulak 2851 days ago
Because it's stored and that would require a round trip to your auth server on every request. Plus, its security requirements are far higher than the access token, so you don't want to be flinging it all over the internet. It only ever goes between your users and your auth server.
link