What is the purpose of access tokens and refresh tokens?

The main idea here is how token-based authentication balances security with a smooth user experience. An access token is a short‑lived credential you use to call protected APIs. It’s included with each request (usually in the Authorization header) and because it expires quickly, the risk is limited if it’s ever exposed. A refresh token, on the other hand, is a longer‑lived credential that lets the client obtain a new access token without asking the user to re-enter credentials. When the access token expires, the client uses the refresh token to get a fresh access token from the authorization server, continuing the session without interruptions. If the refresh token is revoked or expires, the user must re-authenticate. This separation is why the approach is described as granting API access for a limited time and enabling seamless renewal of access without re-authentication.