Yeah, you can do both. I usually always store it in the DB, so that I can also revoke access by deleting the refresh token in the DB in case someone wants to change passwords (device stolen etc.). Otherwise, it's a lot harder to invalidate the refresh tokens and might have an impact on other users (for example invalidate all tokens that were issued before x).
Yeah, you can do both. I usually always store it in the DB, so that I can also revoke access by deleting the refresh token in the DB in case someone wants to change passwords (device stolen etc.). Otherwise, it's a lot harder to invalidate the refresh tokens and might have an impact on other users (for example invalidate all tokens that were issued before x).
Thank you