Set expiration time short and rotate tokens. Issue a new access token every few request. Use refresh tokens to allow your application to obtain new access tokens without needing to re-authenticate
access token: Authorize access to a protected resource. Limited lifetime. Must be kept secret, security considerations are less strict due to their shorter life.
Refresh token: Allows your application to obtain new access tokens without needing to re-authenticate. Long lifetime. Store in secure long-term storage
Web applications: refresh the access token before it expires, each time user open the application and at fixed intervals. Alternatively renew the access token when a user performs an action. If the user uses an expired access token, the session is considered inactive and a new access token is required. This new token can be obtained with a refresh token or requiring credentials
Mobile/Native applications: Application login once and only once. Refresh token does not expire and can be exchanged for a valid JWT. Take in account special events like changing password