|
|
|
|
|
|
by Maxion
930 days ago
|
|
|
Short lived access token, and long lived refresh token. Upon access token refresh and login, refresh token is also rotated. Refresh token expiry is tens of days, access token some hours. Their opinion is that this is enough security. IMO refresh token is vulnerable being stored in localStorage, and relying on users logging in and/or triggering token refresh to rotate refresh token is not really that great. |
|
|