JWT Refresh Token Rotation
A security strategy where each use of a refresh token issues a new refresh token and invalidates the old one, detecting token theft through reuse detection.
Description
JWT Refresh Token Rotation is a security pattern where the authorization server issues a new refresh token every time a refresh token is used to obtain a new access token. The previously used refresh token is immediately invalidated. This approach limits the window of exposure if a refresh token is compromised, because a stolen token can only be used once before the legitimate user's next refresh attempt triggers reuse detection and invalidates the entire token family.
The mechanism works by maintaining a token family -- a chain of refresh tokens that all originate from the same initial authentication event. When a refresh token is presented to the /token endpoint, the server issues both a new access token and a new refresh token, marks the used refresh token as consumed, and records the lineage. If a previously consumed refresh token is presented (indicating theft), the server revokes the entire token family, forcing all parties to re-authenticate.
This pattern is particularly important for public clients like SPAs and mobile apps where refresh tokens cannot be stored as securely as on a server. Auth0, Okta, and most modern identity providers support automatic refresh token rotation. Implementation should include absolute lifetime limits on token families (e.g., 30 days), after which re-authentication is required regardless of rotation. Pair this with short-lived access tokens (5-15 minutes) for defense in depth.
Prompt Snippet
Implement refresh token rotation where each token exchange at the /token endpoint returns both a new access token and a new refresh token, immediately invalidating the consumed refresh token. Store refresh token families in a database table with columns for token_id, family_id, consumed_at, and created_at. On reuse detection (a consumed refresh token is presented), revoke the entire family by family_id and force re-authentication. Set absolute family lifetime of 30 days. Use Redis to cache active token family lookups for performance.
Tags
Related Terms
JWT (JSON Web Tokens)
A compact, URL-safe token format that encodes claims as a JSON object, digitally signed for integrity verification and optionally encrypted for confidentiality.
Token Revocation
The mechanism for invalidating issued access or refresh tokens before their natural expiration, typically triggered by logout, password change, or security events.
Token Blacklisting
A server-side list of revoked tokens that are checked on each request to deny access from tokens that have been invalidated before their natural expiration.
Session Management
The practice of securely creating, maintaining, and destroying user sessions to track authenticated state across stateless HTTP requests.
Brute Force Protection
A set of defense mechanisms that detect and block automated high-volume authentication attempts aimed at guessing credentials through exhaustive trial.