jwt Invalidating Json Web Tokens Rotate tokens


Example

Set expiration time short and rotate tokens. Issue a new access token every few request. Use refresh tokens to allow your application to obtain new access tokens without needing to re-authenticate

Refresh and access tokens

  • access token: Authorize access to a protected resource. Limited lifetime. Must be kept secret, security considerations are less strict due to their shorter life.

  • Refresh token: Allows your application to obtain new access tokens without needing to re-authenticate. Long lifetime. Store in secure long-term storage

Usage recomendations:

  • Web applications: refresh the access token before it expires, each time user open the application and at fixed intervals. Alternatively renew the access token when a user performs an action. If the user uses an expired access token, the session is considered inactive and a new access token is required. This new token can be obtained with a refresh token or requiring credentials

  • Mobile/Native applications: Application login once and only once. Refresh token does not expire and can be exchanged for a valid JWT. Take in account special events like changing password