question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

difference between session token and access token?

See original GitHub issue

Got a document in the sessions collection for a logged in user in my test MongoDB database

image

What’s the difference between sessionToken and accessToken and why is only accessToken being returned to session variable in const [ session, loading ] = useSession() .

{user: {…}, accessToken: "e25f790f00e553b82592626a2a948a643e90a6f3b7c3b0d7b4574e94437e52cc", expires: "2020-10-18T02:58:39.561Z"}
accessToken: "e25f790f00e553b82592626a2a948a643e90a6f3b7c3b0d7b4574e94437e52cc"
expires: "2020-10-18T02:58:39.561Z"
user: {email: "someemail@gmail.com"}

In what cases would you use the access token vs the session token and is there an example of how you would use these tokens?

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:3
  • Comments:5 (1 by maintainers)

github_iconTop GitHub Comments

19reactions
iaincollinscommented, Sep 22, 2020

Great question! This isn’t really covered anywhere in the documentation.

A Session Token is usually used to identify a session in a browser (or other client). Typically Session Tokens are fixed and do not change unless a user signs out, but in some applications they can rotate. For optimal security, they should not be readable by client side JavaScript (i.e. they are server side only cookies).

An Access Token is usually used as a way of providing a way for clients to make requests using a token that uniquely identifies a user / session, sometimes - but not always - with less privileges (e.g. it might be read only, or may perform create and update operations, but not delete operations). Typically Access Tokens do rotate. This is done to limit the risk of exposing a token to client side JavaScript, where it could be hijacked by third party scripts.

For example, Google Access Tokens are only valid for 1 hour and you must make a request using a Refresh Token (which does not rotate, and functions like a Session Token) to request a new Access Token every hour.

NextAuth.js implements Access Tokens in sessions as a way to provide an identifier for client side operations that can be tracked by to a session, without exposing the Session Token itself (so that a Session cannot be hijacked by a third party script).

However, it is currently only a basic implementation in that the Access Token it exposes does not change / expire and it is not used for anything internally - it’s more a placeholder around which you can build on and extend on to add your own functionality, to discourage people from exposing the Session Token client side.

In practice, if you have /api/ endpoints in a Next.js app you should be able to access the session directly from them (or JWT directly, if you are using JSON Web Tokens to store session data) so you probably don’t need to use the accessToken.

An example of how you might want to use it, is to pass it to another service to allow it to make API requests to your service (e.g. as callback) so that it could do so securely on behalf of your user, without exposing information about the user or their session.

1reaction
asifsahocommented, Aug 19, 2022

I am looking for the accessToken since I need it to request any data from backend. Where it is stored and how to access it from Frontend?

Read more comments on GitHub >

github_iconTop Results From Across the Web

What really is the difference between session and token ...
Session based authentication is one in which the user state is stored on the server's memory. When using a session based auth system,...
Read more >
Session vs Token Based Authentication | by Sherry Hsu
Many web applications use JSON Web Token (JWT) instead of sessions for authentication. In the token based application, the server creates JWT with...
Read more >
Session vs Token Authentication - Authgear
Tokens and sessions essentially are about where the authorization state is handled, whether on the server-side or the client-side. For example, ...
Read more >
The difference between, ID, access, refresh, and ... - YouTube
In the One Dev Question series, Hirsch Singhal a Program Manager ... The difference between, ID, access, refresh, and session tokens ?
Read more >
security token vs session id vs access token
2 Answers 2 · Session Id: SessionId is obtaines when use login from web interface or does a soap api call. · AccessToken:...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found