How to pass both a Refresh Token & Access Token via headers to middleware? #3444

sihayas · 2025-08-21T01:50:03Z

sihayas
Aug 21, 2025

Summary

I am following this guide and other docs to understand how to create an Auth middleware.

https://mattrighetti.com/2025/05/03/authentication-with-axum

Towards the end, they use cookies to send both a refresh token and jwt/access token. But this is for browser based apps. For a mobile based app without cookies, how can I accomplish this/should I?

I am currently doing this

pub async fn auth(
    State(app): State<AppState>,
    TypedHeader(auth): TypedHeader<Authorization<Bearer>>,

    headers: HeaderMap,
    request: Request,
    next: Next,
) -> Response {
    // do something with `request`...

    let refresh_token = headers.get("x-refresh-token").and_then(|h| h.to_str().ok());

axum version

0.8.4

Answered by mladedav

Aug 23, 2025

Again, you're asking questions about security of a system, not how to do something in axum.

When I disregard the use-case and focus just in getting the header values, you can also implement the Header trait for the custom header you're interested in and use two TypedHeaders. But what you wrote works for getting a non-standard header too.

View full answer

mladedav · 2025-08-22T17:34:17Z

mladedav
Aug 22, 2025
Maintainer

This doesn't seem like axum-specific question and more like how to do authentication in a mobile app. Which I don't really have experience with but I'm sure there will be a lot of other resources on that.

3 replies

sihayas Aug 22, 2025
Author

from what i have read, it depends, but i am more specifically talking about the approach where you send both a refresh token and access token in the same request for every request. is it ideal to use the header map here since the authorization bearer contains the access token?

'''
pub async fn auth(
State(app): State,
// run the TypedHeader extractor
TypedHeader(auth): TypedHeader<Authorization>,
// you can also add more extractors here but the last
// extractor must implement FromRequest which
// Request does
headers: HeaderMap,
request: Request,
next: Next,
) -> Response {
// do something with request...

let refresh = headers.get("x-refresh-token").and_then(|h| h.to_str().ok());

let mut context = UserContext {
    user_id: None,
    is_admin: false,
};

// check if the access token is valid first
if let Ok(claims) = validate_access_token(auth.token(), &app.config.hmac_key) {
    context.user_id = Some(claims.sub);
}

'''

mladedav Aug 23, 2025
Maintainer

Again, you're asking questions about security of a system, not how to do something in axum.

When I disregard the use-case and focus just in getting the header values, you can also implement the Header trait for the custom header you're interested in and use two TypedHeaders. But what you wrote works for getting a non-standard header too.

Answer selected by sihayas

sihayas Aug 23, 2025
Author

thank you

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

How to pass both a Refresh Token & Access Token via headers to middleware? #3444

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

How to pass both a Refresh Token & Access Token via headers to middleware? #3444

Uh oh!

Uh oh!

sihayas Aug 21, 2025

Summary

axum version

Replies: 1 comment · 3 replies

Uh oh!

mladedav Aug 22, 2025 Maintainer

Uh oh!

Uh oh!

sihayas Aug 22, 2025 Author

Uh oh!

mladedav Aug 23, 2025 Maintainer

Uh oh!

sihayas Aug 23, 2025 Author

sihayas
Aug 21, 2025

Replies: 1 comment 3 replies

mladedav
Aug 22, 2025
Maintainer

sihayas Aug 22, 2025
Author

mladedav Aug 23, 2025
Maintainer

sihayas Aug 23, 2025
Author