JWT access + refresh token rotation (conceptual)

14396 views

                  import crypto from 'node:crypto';
import jwt from 'jsonwebtoken';

export function signAccessToken(payload: object) {
  return jwt.sign(payload, process.env.JWT_SECRET!, { expiresIn: '15m' });
}

export function newRefreshToken() {
  const token = crypto.randomBytes(32).toString('hex');
  const hash = crypto.createHash('sha256').update(token).digest('hex');
  return { token, hash };
}

A single long-lived JWT is a liability: if it leaks, it’s valid until it expires and revocation is hard. I use short-lived access tokens and longer-lived refresh tokens, and I rotate refresh tokens on every use. Rotation means that if an attacker steals a refresh token and tries to reuse it, you can detect the replay and invalidate the session. The key is storing refresh token hashes server-side (not the raw token) and binding them to a session record. This pattern is more work than simple JWTs, but it gives you a practical revocation story without building a full server-side session store for access tokens.

Mateo Rodriguez

More from Mateo Rodriguez

JWT access + refresh token rotation (conceptual)

0 Comments

More from Mateo Rodriguez