Force Expiring of JWTs with Refresh Tokens

A concept to stop the bully who somehow stole your JWT.

© Jasna Matz — Force & Beauty via. 500px

Why not include a simple reference to the issuing refresh token in the JWT payload for additional validation?

  1. Check for the presence of a token in the request’s headers.
  2. Check that token is a valid JWT, correctly signed and not expired.
  3. Check the user exists from the uid property of the payload.
  4. Check the issuing refresh token still exists from the rid property.
  5. If all these checks pass, the token is valid; the server’s response now has context of the requesting user, and all JWTs can be invalidated if the refresh token is deleted via an request similar to /logout .

It’s up to you as to what you’d prefer to focus on.



github/@peterboyer React, UI, API Design and other thoughts

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store