re: How do you handle jwt token expiration? VIEW POST

re: Let me understand, you are asking for a refresh token for such expired token right? I would do it with OAuth 2. Client asks for authorization -&g...

How is this advantageous over setting the expiration duration to like a month ?


Well, it doesn't fit the requirements :) Also, it can be a security liability, depending on the ability of the server to expire/invalidate the content of the access token. This is a good overview of three strategies: Access Token Lifetime

The first strategy is the one I was talking about: short expiration for tokens, long for refresh tokens. The second is the one where you make tokens expire and make the user login often (but it defies the requirements), the third one is the one where the token never expires but it strongly depends on the infrastructure and the ability to revoke tokens

Code of Conduct Report abuse