A long-lived token used to obtain new access tokens without requiring the user to log in again.
A Refresh Token is a long-lived credential (typically valid for 30 days) that your app uses to get a new Access Token when the current one expires.
Think of it like a season pass: your Access Token is a day pass that expires every hour, but your refresh token lets you get a new day pass without going through the full login process again.
In Supabase, refresh tokens are stored securely in HTTP-only Cookies, meaning JavaScript code running in the browser cannot access them directly. This is a security feature — even if malicious code runs on your page, it can't steal your refresh token.
The Session management flow works like this: you log in and receive both tokens, you use the access token for requests, when it expires Supabase automatically uses the refresh token to get a new one, and you stay logged in seamlessly.
We give you the skills to build, deploy, and own a full product. Professional stack, AI co-pilot, no coding background required.