← Lessons

quiz vs the machine

Gold1450

Security

Refresh Token Rotation

Issue a new refresh token on every use and detect theft when an old one reappears.

5 min read · core · beat Gold to climb

Why Refresh Tokens Are Risky

Access tokens are short lived, but refresh tokens are long lived and let a client obtain new access tokens. If a refresh token is stolen, an attacker can keep minting access tokens silently. Long life plus high value makes them a prime target.

How Rotation Works

With refresh token rotation, each time a client uses a refresh token it receives a brand new one, and the old token is invalidated.

  • Every refresh issues a new refresh token in a chain.
  • The previous token is revoked immediately.
  • If a revoked token is reused, that signals theft, because two parties now hold the same chain.

Reuse Detection

When the server sees an already used refresh token, it assumes compromise and revokes the entire token family, forcing re authentication. This limits how long a stolen token stays useful.

  • Bind the token family so revoking one revokes all.
  • Store refresh tokens securely and never expose them to scripts.

Key idea

Rotation hands out a fresh refresh token on every use and revokes the old one, so reuse of an old token reveals theft and triggers revocation of the whole family.

Check yourself

Answer to earn rating on the learn ladder.

1. What happens to the old refresh token after rotation?

2. Why does reuse of an old refresh token matter?