🔑JWT & Auth

JWT Refresh Token Pattern

Long-lived token used to generate new access tokens.

Explanation

Refresh tokens are typically opaque strings or JWTs stored securely (e.g., HttpOnly cookies) to maintain a user's session.

Examples

Refresh Logic
Output
POST /auth/refresh { "refreshToken": "..." }

Code Examples

Refresh Payload 
{
  "sub": "user_123",
  "token_version": 5,
  "iat": 1705069800,
  "exp": 1707661800
}

💡 Tips

  • Include a "token version" to allow revoking all tokens for a user
  • Refresh tokens should have a much longer expiry than access tokens
  • Store in a secure, same-site cookie to prevent XSS

⚠️ Common Pitfalls

  • If a refresh token is stolen, the attacker can keep generating access tokens
← Back to All Templates