|
|
|
|
|
|
by zeveb
3171 days ago
|
|
|
The standard way, I think, is to issue a short-lived self-validating ('stateless') token for access and a long-lived validation-required ('stateful') token for access-token renewal. The mobile app logs in once and uses the access token until it's about to expire; the remote app server doesn't need to perform an online validation since the access token is self-validating. When the access token is about to expire, the client requests a refreshed access token from the remote token server using the refresh token. In other words, there's not a long-lived self-validating JWT. If for some reason that were required, you might rotate the shared secret or signing key. |
|
|