server icon indicating copy to clipboard operation
server copied to clipboard
verified publisher icon hashtopolis

[FEATURE]: Implement access and refresh token

Open cv5ch opened this issue 4 months ago • 0 comments

Description

Currently there is only one JWT token with validity of 2 hours for access to the API.

To improve security and user experience, the use of 2 tokens is recommended:

  • Short-lived access token (e.g. 5-15 minutes)
  • Long-lived refresh token (e.g. 7-30 days)

The server has to issue both an access and a refresh token. The access token is sent in every request and used to grant access to the backend resources. The refresh token is only used to get a new access token using the refresh endpoint once the access token is about to expire and ideally revoked after usage (One-time token).

This allows for a seamless user experience as long sessions are possible and a better security as the attack window is minimized.

cv5ch avatar Aug 22 '25 08:08 cv5ch