Following Thomas Ptacek's tweet saying "Thinking about securing an API with JWT? First, punch yourself in the face. Then: just use a 256 bit random token, and a database."
Should we also use refresh tokens, sent alongside auth tokens in the response, after auth token expiry?
Do you think tokens should expire on in regular intervals (each N timeunits), or after a timeout since last request made with a particular token?
Aucun commentaire:
Enregistrer un commentaire