Refresh Tokens and Expiry
Rotate access tokens without re-login.
Why Tokens Expire
A stolen token is dangerous only while it works. Giving every access token a short expiry shrinks that window of risk. ⏳
The exp Claim
Expiry lives in the token's exp claim, a timestamp. Once the clock passes it, the token is rejected no matter what.
All lessons in this course
- Sessions vs Stateless Tokens
- Issue Access Tokens on Login
- Protect Endpoints with jwt_required
- Refresh Tokens and Expiry