I am building a token based authentication (Node.js using passport/JWT with an angular client).

After the user enter his credentials he gets an access token, which he sends in every request inside the header (header: bearer TOKEN).

I don't want to prompt a login request everytime his access token expires (about everyday I guess), I've heard about the Refresh Tokens. The refresh token never expires (or rarely expires) and able to renew tokens indefinitely.When the access token is about to expire, the client can send a renew request to get a new access token by sending his refresh token.

I don't understand few things, I might be missing something:

1. How a long-living/never expiring refresh tokens don't ruin the security of having short-living access tokens.

2. Cookies can be stole and be used until they expire. Tokens are short living so they more secured, but if I provide a long-living refresh token I lose the advantage of using tokens.

NOTE: I am aware that the refresh tokens are sent at the initial login, so cann't be spoofed in every request, but if they are spoofed at the initial request they are vulnerable.

The refresh token is presented on a different path than the access token: the access token is only ever presented to the Resource Server, the refresh token is only ever presented to the Authorization Server. The access token can be self-contained so that it does not need costly calls to the Authorization Server to check its validity, but to mitigate loss and to increase accuracy (it cannot be revoked in case something goes wrong) it is short-lived. The refresh token is long lived and gets validated on each call to the Authorization Server and as such it can be revoked. The combination of the two makes the system secure.