Renewing the Access Token

In the authID system, renewing access tokens is essential to upholding security and guaranteeing authenticated users' access to restricted resources. To reduce security risks, access tokens usually have a finite lifespan. Renewing the access token enables the application to keep accessing protected resources without creating an additional load on the authentication API.

The access token must be refreshed or updated to maintain access.

One simple approach is to check the exp field (as shown below). If the expiration time is near, use the Refresh Token to obtain a new access/refresh token pair.

  1. Make sure to keep both new refresh and new access tokens secure.
  2. When encountering a 401 error during token refresh, reauthenticate with credentials to obtain a new access / refresh token pair.
  3. Refresh tokens are "one-time-use" and are invalidated (almost) immediately after use. This is the refresh token reuse detection security measure that guards against intercepting access/refresh tokens and helps to detect compromised channel. If the system detects a compromised refresh token, the application receives 401 error and the "reuse detected" event is recorded in system audit trail. If system consuming authID APIs have multithreaded implementation, one needs to take care to properly track and avoid reusing refresh token.