Security//token

A string that proves something: identity, permission, or both. Three types show up in an app with OAuth:

A string that proves something: identity, permission, or both. Three types show up in an app with OAuth:

Session token — says "I'm Carmen." Generated by Supabase when the user authenticates. Stored in the browser's cookies. Every frontend-to-backend request carries it automatically. It's what lets RLS know who to filter for.

Access token — says "I have permission to read Carmen's Gmail." Generated by Google during OAuth. Expires fast (~1 hour). Stored server-side in the profiles table in Supabase — never reaches the browser. The backend uses it to call the Gmail API.

Refresh token — says "give me another access token without bothering Carmen." Also from Google, also server-side. When the access token expires, the backend uses the refresh token to get a new one. The user never notices.

Session tokens travel via cookies. Gmail tokens live only on the server. Identity travels, secrets don't.