I have some questions about implementing refresh tokens. I searched a lot but found nothing :
Do I have to use
jwt
for Refresh Token or it can be a hashed string? What are the benefits of usingjwt
in Refresh Tokens?Should Refresh Tokens have an expiration time? I want to use Refresh Tokens for
remember me
feature, so if the user comes back to the website or mobile app after a month, he should be able to continue as a logged in user.Do I have to send Refresh Token to client? (As we store it in database and we delete it in logout)