I'm building a mobile app and am using JWT for authentication.
It seems like the best way to do this is to pair the JWT access token with a refresh token so that I can expire the access token as frequently as I want.
- What does a refresh token look like? Is it a random string? Is that string encrypted? Is it another JWT?
- The refresh token would be stored in the database on the user model for access, correct? It seems like it should be encrypted in this case
- Would I sent the refresh token back after a user login, and then have the client access a separate route to retrieve an access-token?