Practise the standard verbs for rotating JWT refresh tokens securely.
0 / 5 completed
1 / 5
Fill in: 'We ___ a new refresh token on every use so a stolen token can only ever be replayed once before it's invalid.'
We 'issue a token' — the standard, established auth collocation for generating a new credential. The other options aren't the recognised term here.
2 / 5
Fill in: 'Reusing the same refresh token indefinitely can ___ a leaked token valid for months without anyone noticing.'
We say token reuse will 'leave' a leaked token valid — the standard, natural collocation here. The other options aren't idiomatic here.
3 / 5
Fill in: 'We ___ the old refresh token the moment a new one is issued so replay attempts fail immediately.'
We 'revoke a token' — the standard, established security collocation for invalidating a credential. The other options aren't the recognised term here.
4 / 5
Fill in: 'We ___ reuse of an already-rotated refresh token as a signal of possible theft and invalidate the whole session chain.'
We 'treat' an event as a signal — the standard, established collocation for interpreting a security condition. The other options aren't the recognised term here.
5 / 5
Fill in: 'We ___ refresh token lifetime shorter than the access token's, so a stale token can't outlive its intended window.'
We 'keep' a lifetime short — the standard, simple collocation for maintaining a bounded duration. The other options are less idiomatic here.