Authentication with AccessToken & RrfreshToken

Access tokens and refresh tokens are essential components of user authentication, allowing users to log in and maintain their session. An access token contains user details such as user ID, username, and email. The refresh token, which is used to obtain a new access token, typically contains minimal user data, often just the user ID. Access tokens are short-lived; when they expire (usually after 1 hour or up to 1 day), the server checks the refresh token to issue a new access token. If the refresh token is valid, a new access token is generated, keeping the user logged in. This process, known as refresh token rotation, is a key part of session management.

Refreshtoken leads the accesstoken . It may be consist all user data but most of the apps use it to save only userid

AccessToken is short lived when a user loged in server generates an accesstoken for specific user and after sometime⏰️ (may be 1 hr or max to max 1 d) when the accesstoken expires it hit an endpoint for new accesstoken where the user is checked through it's refreshtoken if the refreshtoken doesn't match with he user's one then server would log out the user if matches then the server creates a new accesstoken which leads a user to stay loged in.This process is called refreshtoken rotation and this is also session .

🚀That's how an authentication mainly works

I am learning about it so i am mistaken then correct me please.