Should revoke refress token when get new access token?

#node #javascript #help

I have API get new access token from refresh token but i wonder that: should revoke refresh token and generate new refresh token when getting new access.

Case 1: api/refresh token => {new_access_token,new_refresh_token} (refresh_token revoked)

Case 2: api/refresh token => {access_token} (refresh_token not revoke)

What is bestpractive, im using Nestjs

Top comments (1)

Wahyu Kristianto • Feb 7

It is generally recommended to revoke the refresh token when issuing a new access token and refresh token pair. This ensures that the previous refresh token cannot be used to get a new access token if it has been compromised.