Skip to content

Token Behavior

Денис Векерик edited this page Feb 21, 2023 · 9 revisions

Access and refresh token

TeachUA uses JWT for access and refresh tokens.

  • Access token - short-lived (30 minutes)
  • Refresh token - long-lived (3-7 days)

API

Use /signin endpoint to login and get tokens:

image

Then you can use ACCESS token as Bearer in Authorization Header to make requests to secured endpoints:

image

After 30 minutes ACCESS token will expire. But you can get new valid ACCESS token without relogin.

Use /token/refresh endpoint with REFRESH token in request body:

image

!Important After that REFRESH token from request body will be revoked (as refresh tokens are disposable), but in response body you will get new valid REFRESH token to make this process again. That means:

  • You can even never login again, if you refresh periodically.
  • Only if REFRESH token expires you should relogin.

Use /token/revoke endpoint to revoke REFRESH token manually:

image

200 status means it was revoke successfully. Now you have to login again.

Frontend

Login:

image

After that ACCESS token will be refresh automatically in Axios response interceptor.

!Important If you do not act on website during REFRESH token life time, token will expire and revoke automatically. Then relogin is required.