Why are short-lived access tokens recommended with JWTs?
Short-lived tokens: because stateless JWTs are hard to revoke, keeping their lifetime short (minutes) means a stolen token expires quickly, reducing the exposure window without server-side revocation lists.
2 / 5
What is the purpose of a refresh token?
Refresh token: a longer-lived credential exchanged at the auth server for fresh access tokens. It keeps users logged in while access tokens stay short-lived, and can be revoked server-side independently.
3 / 5
What is refresh token rotation?
Rotation: each refresh returns a brand-new refresh token and revokes the previous one. If an attacker replays a used token, the server sees reuse of an invalidated token and can revoke the whole session as compromised.
4 / 5
What is key rotation for the signing keys of a JWT?
Signing key rotation: servers rotate signing keys over time, exposing the current public keys via a JWKS endpoint. The kid header tells verifiers which key signed a token, allowing graceful overlap during rotation.
5 / 5
What does the kid claim in a JWT header indicate?
kid (key ID): a hint in the JWT header naming the signing key. During key rotation multiple keys are valid; the verifier looks up the matching public key from the JWKS by its kid to validate the signature.