I'm building mobile and a web app. Both apps will be talking to a node server. I am using JWT for authentications.
Currently, I have the following code to generate an access token:
const token = jwt.sign({ user: body }, "top_secret");
I'm really confused about refresh tokens and access tokens:
- How to create a refresh token?
- What do refresh token look like?
- Can I create a refresh token - similar to the way I'm creating an access token?
- Is the refresh token only used to generate a new access token?
- Can the refresh token be used as an access token?
- How do you invalidate an access token
How do you invalidate a refresh token? Examples I've seen used databases to store refresh tokens. The refresh tokens are deleted when you want to invalidate an access token. If the refresh token would be stored in the database on the user model for access, correct? It seems like it should be encrypted in this case
When the user logs into my application, do I send both access token and refresh token? I read somewhere (can't remember where) that it's not good practice to send an access token and refresh token.
- If its bad practice to send both access and refresh tokens, when do you send a refresh to the client? Should there be an endpoint where the clients request an access token?
- Whats a good expiry time for access tokens and refresh toekns