Y
Hacker News
new
|
ask
|
show
|
jobs
by
kyriakos
2523 days ago
When is the refresh token meant to be expiring? Can't the man in the middle just use the refresh token to get a new valid jwt?
1 comments
thangngoc89
2523 days ago
From the article, refresh tokens are revokable. The whole point of JWT + refresh token is that for normal operation, you don't need to hit the database but still able to revoke a token.
link