what are the maximum token lengths for Access and Refresh tokens

GSH-1402 45 Reputation points

We have been increasing our db column max lengths from time to time to facilitate the expansions in length of either Access or the Refresh token from Microsoft side. Is it possible to know an upper bound or a possible length that will be sufficient for a considerable time.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,448 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Dharahas Goud 5 Reputation points

    Access tokens and refresh tokens serve crucial roles in modern web application security. Let's explore their characteristics:

    1. Access Token:
      • An access token is a bearer token used to grant access to protected resources (such as APIs or databases).
      • It typically contains information about the user and their permissions.
      • Access tokens are short-lived, expiring after a certain period (usually an hour or less).
      • They are issued by an authentication server or identity provider.
      • Security: Even if an access token is compromised, its limited validity window ensures it can only be misused for a short time.
      • Size: A typical access token for the Graph API might be around 1.5 KB⁴.
    2. Refresh Token:
      • Refresh tokens are long-lived tokens.
      • They are used to obtain a new access token when the current one expires.
      • Issued alongside an access token, refresh tokens are more secure than storing credentials on a device or browser.
      • They can be revoked by the authentication server at any time.
      • Refresh tokens are not passed along with API requests; they are used solely to obtain new access tokens.
      • Security: Even if a refresh token is compromised, it cannot directly access protected resources.
      • Size: A typical refresh token might be around 1 KB⁴.

    Remember, these token lengths can vary based on the specific implementation and platform. Always refer to the documentation of the identity provider or authentication service you're using for precise details.

    0 comments No comments