**JWT Authentication Security Guide: Refresh Token Rotation and Production-Ready Implementation**

web_dev

JWT Authentication Security Guide: Refresh Token Rotation and Production-Ready Implementation

Learn how to build secure JWT authentication with refresh token rotation, automatic token handling, and protection against replay attacks. Implement production-ready auth systems.

Jun 27, 2025

**JWT Authentication Security Guide: Refresh Token Rotation and Production-Ready Implementation**

Building secure authentication systems remains a critical challenge in modern web development. I’ve implemented JWT-based authentication in multiple production applications and learned that proper token handling requires careful consideration. Let’s explore a robust approach that balances security and user experience.

Token expiration presents a key security measure. Short-lived access tokens (15-30 minutes) limit exposure if compromised. But frequent logouts damage user experience. Refresh tokens solve this by providing longer-lived credentials (7 days) exclusively for obtaining new access tokens. The real security boost comes when we rotate refresh tokens after each use.

Consider this server-side implementation for token refresh:

// Refresh token endpoint
app.post('/api/refresh', async (req, res) => {
  const refreshToken = req.cookies.refreshToken;
  if (!refreshToken) return res.sendStatus(401);

  try {
    const decoded = jwt.verify(refreshToken, process.env.REFRESH_SECRET);
    const userId = decoded.id;
    
    // Retrieve stored token from database
    const storedToken = await db.refreshTokens.findUnique({
      where: { userId }
    });
    
    // Critical security check
    if (!storedToken || storedToken.token !== refreshToken) {
      await db.refreshTokens.deleteMany({ where: { userId } });
      return res.sendStatus(403);
    }
    
    // Generate new tokens
    const newAccessToken = jwt.sign(
      { id: userId }, 
      process.env.ACCESS_SECRET, 
      { expiresIn: '15m' }
    );
    
    const newRefreshToken = jwt.sign(
      { id: userId },
      process.env.REFRESH_SECRET,
      { expiresIn: '7d' }
    );
    
    // Update stored token
    await db.refreshTokens.update({
      where: { userId },
      data: { token: newRefreshToken }
    });
    
    // Set secure cookies
    res.cookie('accessToken', newAccessToken, {
      httpOnly: true,
      secure: true,
      sameSite: 'Strict',
      maxAge: 900000 // 15 minutes
    });
    
    res.cookie('refreshToken', newRefreshToken, {
      httpOnly: true,
      secure: true,
      sameSite: 'Strict',
      maxAge: 604800000 // 7 days
    });
    
    res.json({ success: true });
  } catch (error) {
    res.clearCookie('accessToken');
    res.clearCookie('refreshToken');
    res.sendStatus(403);
  }
});

Token storage decisions significantly impact security. I always recommend HTTP-only cookies over localStorage. This prevents XSS attacks from stealing tokens. The sameSite=Strict attribute adds CSRF protection. For additional security, pair this with a CSRF token for state-changing operations.

Client-side token management requires special attention. Here’s how I handle automatic token refreshing in React applications:

// Axios interceptor implementation
import axios from 'axios';
import { useEffect } from 'react';

export function useTokenRefresh() {
  useEffect(() => {
    const interceptor = axios.interceptors.response.use(
      response => response,
      async error => {
        const originalRequest = error.config;
        const status = error.response?.status;
        
        if (status === 401 && !originalRequest._retry) {
          originalRequest._retry = true;
          
          try {
            // Attempt refresh token request
            await axios.post('/api/refresh', {}, {
              withCredentials: true
            });
            
            // Retry original request
            return axios(originalRequest);
          } catch (refreshError) {
            // Redirect to login on refresh failure
            window.location.href = '/login?session_expired=1';
            return Promise.reject(refreshError);
          }
        }
        
        return Promise.reject(error);
      }
    );
    
    return () => {
      axios.interceptors.response.eject(interceptor);
    };
  }, []);
}

// Component implementation
function App() {
  useTokenRefresh();
  
  return (
    <div className="App">
      {/* Application components */}
    </div>
  );
}

Protection against token replay requires server-side tracking. When we detect reuse of a refresh token, we immediately invalidate all sessions for that user. This is how I implement token revocation in a PostgreSQL database:

-- Database schema for token tracking
CREATE TABLE refresh_tokens (
  user_id UUID REFERENCES users(id) ON DELETE CASCADE,
  token_hash TEXT NOT NULL,
  created_at TIMESTAMPTZ DEFAULT NOW(),
  PRIMARY KEY (user_id)
);

-- Token verification pseudocode
async function verifyRefreshToken(userId, token) {
  const storedHash = await getTokenHash(userId);
  const currentHash = hashToken(token);
  
  if (!storedHash || storedHash !== currentHash) {
    // Critical security event - possible token theft
    await deleteAllTokensForUser(userId);
    return false;
  }
  
  return true;
}

Token generation must follow security best practices. I always use asymmetric cryptography for access tokens in multi-service environments:

// Asymmetric JWT signing example
const accessToken = jwt.sign(
  { userId: user.id, role: user.role },
  process.env.ACCESS_PRIVATE_KEY,
  { 
    algorithm: 'RS256',
    expiresIn: '15m'
  }
);

// Verification with public key
jwt.verify(accessToken, process.env.ACCESS_PUBLIC_KEY, (err, user) => {
  // Handle verification
});

Dealing with concurrent requests presents another challenge. In high-traffic applications, I implement token queuing to prevent multiple refresh attempts:

// Request queuing implementation
let isRefreshing = false;
let failedRequests = [];

axios.interceptors.response.use(null, async error => {
  if (error.response.status !== 401) return Promise.reject(error);
  
  if (isRefreshing) {
    return new Promise(resolve => {
      failedRequests.push(() => resolve(axios(error.config)));
    });
  }
  
  isRefreshing = true;
  
  try {
    await refreshTokens();
    failedRequests.forEach(cb => cb());
    failedRequests = [];
    return axios(error.config);
  } catch (refreshError) {
    failedRequests.forEach(cb => cb(Promise.reject(refreshError)));
    return Promise.reject(error);
  } finally {
    isRefreshing = false;
  }
});

Security headers form the final defense layer. This configuration has served me well across multiple projects:

# NGINX security headers configuration
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;";
add_header Referrer-Policy "strict-origin-when-cross-origin";

Proper token expiration handling creates a security-conscious user experience. I implement gradual session warnings like this:

// Session expiration warning
function useSessionWarning() {
  useEffect(() => {
    const warningTimeout = setTimeout(() => {
      showModal('Your session will expire in 5 minutes');
    }, 10 * 60 * 1000); // 10 minutes
    
    const expirationTimeout = setTimeout(() => {
      redirectToLogin();
    }, 15 * 60 * 1000); // 15 minutes
    
    return () => {
      clearTimeout(warningTimeout);
      clearTimeout(expirationTimeout);
    };
  }, []);
}

Through careful implementation, we achieve both security and usability. The token rotation pattern significantly reduces risk without compromising user experience. Each project brings new insights, but these core principles provide a reliable foundation for authentication systems.