Refresh Token
// Definition
A longer-lived credential used to obtain a new access token when the current one expires, without forcing the user to log in again. Because it is more powerful than an access token, it should be stored securely, be revocable, and be invalidated on logout or password change. QA checks: after logout or a password reset, a previously issued refresh token can no longer mint new access tokens where the product requires it.
// Related terms
Access Token
A short-lived credential a client sends with each request to access protected resources, often a JWT carried in an Authorization header. Because it grants access, it must be transmitted securely, expire reasonably, and never contain sensitive data in a readable payload. QA checks: a missing, invalid or expired access token is rejected with 401, and a token belonging to one user cannot access another user's data.
JWT
JSON Web Token — a compact, URL-safe token format for transmitting claims between parties. A JWT has three Base64URL-encoded sections separated by dots: header (signing algorithm), payload (claims like `sub`, `exp`, `roles`), and signature. Because the payload is encoded but not encrypted, any holder of the token can read the claims — never store secrets in a JWT payload. Test JWTs by checking expiry enforcement, algorithm validation (reject `alg: none`), and rejection of tampered signatures.
Session
A server-side or client-side record that persists a user's authenticated state across requests. Sessions are created on login, referenced by a session ID sent in a cookie or header, and invalidated on logout or expiry. Testing considerations include: session fixation (attacker sets the victim's session ID before login), failure to rotate the ID after privilege escalation, excessively long session lifetimes that extend exposure after credential compromise, and whether logout actually invalidates the server-side session.