Very solid article!

We use access_token and refresh_token technique. 
access_token are very short-lived, where as refresh_token (which will be a copy of access_token except the expiry time) are relatively long lived.

Once access_token is expired refresh_token can be used to get a new set of tokens.

Now we maintain a list of invalidated refresh_token, registering them on logout.


  1. More secure than only access_token,
  2. We can implement sliding sessions.
  3. More optimal than blacklisting access_token (as this will query the db only when refresh_token is sent).
One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.