EasyAuthentication📖 Theory Question

What is refresh token rotation and why is it important?

💡

Hint

Each refresh issues a new refresh token and invalidates the old one — if a stolen token is used, the legitimate session is detectable

Full Answer

The problem: Access tokens are short-lived (15 min), but refresh tokens are long-lived (days/weeks). A stolen refresh token gives an attacker indefinite access.

Refresh token rotation:

  1. When a client uses a refresh token to get a new access token, the server issues a brand-new refresh token and invalidates the old one.
  2. If an attacker steals the refresh token and tries to use it after the legitimate client already rotated it, the server detects the reuse of an already-invalidated token.
  3. Server policy on reuse detection: invalidate the entire refresh token family (all sessions) — forces re-authentication.
// Token family concept
POST /auth/refresh { refreshToken: "rt_v1" }
→ { accessToken: "at_new", refreshToken: "rt_v2" }
// rt_v1 is now invalid

// If attacker uses rt_v1 again:
POST /auth/refresh { refreshToken: "rt_v1" }
→ 401 — AND server invalidates rt_v2 too (reuse detected)

Storage: Refresh tokens should be stored in HttpOnly cookies, never localStorage.

More Authentication Questions

EasyWhat are the security differences between storing a JWT in localStorage vs an HttpOnly cookie?EasyWhat is OAuth 2.0 PKCE and when should you use it?EasyWhat is the difference between authentication and authorization?EasyWhat is SSO (Single Sign-On) and how is it implemented on the frontend?

Practice this in a timed sprint →

5 free questions, no signup required

⚡ Start Sprint