DEV Community

Discussion on: What is the usual flow in authenticating a Client Application with a Token based REST API?

ayazhussein profile image
Ayaz Hussein

Hey, What other information can be used to differentiate between stolen refresh token and a valid refresh token?

Thread Thread
bwighthunter profile image
Blake Wight

This reply is a bit late, but perhaps useful to a future passer by. What you could do is have the front end pass in some information about where they are located and/or their device/browser and then tie refresh tokens to each device/browser. This could allow the user to revoke refresh tokens per location/device. If a request provides a token from a new location (for that token) revoke it and require another login from that device. Still spoofable, but it adds another layer.