Why do access tokens intentionally have a short lifetime?
Short lifetime: because tokens are bearer credentials (anyone holding them can use them), keeping them short-lived reduces the attack window if intercepted. Typical access token lifetimes are 15 minutes to 1 hour.
2 / 5
What is a silent refresh in a single-page application?
Silent refresh: before the access token expires, the SPA quietly requests a new one (via a hidden iframe to the auth server or a background request with the refresh token) so the user never sees an interruption.
3 / 5
What is refresh token rotation?
Rotation: on each refresh token use, the server issues a new refresh token and revokes the old one. If a stolen refresh token is used, the legitimate owner's next use will fail (reuse detection), alerting the system to revoke all tokens.
4 / 5
What is token introspection?
Token introspection (RFC 7662): a resource server that receives an opaque token calls the authorization server's introspection endpoint to verify validity, scopes, and metadata. This allows centralized revocation checks.
5 / 5
Where should refresh tokens be stored in a web application?
Refresh token storage: localStorage is accessible to JavaScript (XSS risk). Storing the refresh token in an HttpOnly cookie makes it invisible to scripts. Adding Secure and SameSite=Strict further protects against network sniffing and CSRF.