A long-lived token used to obtain new access tokens without requiring the user to log in again.
A Refresh Token is a long-lived credential (typically valid for 30 days) that your app uses to get a new Access Token when the current one expires.
Think of it like a season pass: your Access Token is a day pass that expires every hour, but your refresh token lets you get a new day pass without going through the full login process again.
In Supabase, refresh tokens are stored securely in HTTP-only Cookies, meaning JavaScript code running in the browser cannot access them directly. This is a security feature — even if malicious code runs on your page, it can't steal your refresh token.
The Session management flow works like this: you log in and receive both tokens, you use the access token for requests, when it expires Supabase automatically uses the refresh token to get a new one, and you stay logged in seamlessly.
Learn the concepts, fix things with confidence, and ship real products with AI beside you. No coding background required, and we're with you from the first idea to launch.
Free to start. No card. Leave whenever you want.