Last Update: 2019-06-06 10:34:09 -0700

Documentation for JWT Refresh Feature

The jwt_refresh feature adds support for a database-backed JWT refresh token, setting a short lifetime on JWT access tokens.

When this feature is used, the access and refresh token are provided at login in the response body (the access token is still provided in the Authorization header), and for any subsequent POST to /jwt-refresh.

Note that using the refresh token invalides the old refresh token and creates a new access token with an updated lifetime. However, it does not invalidate older access tokens. Older access tokens remain valid until they expire.

This feature depends on the jwt feature.

Auth Value Methods


Name of the key in the response json holding the access token. Default is access_token.


How many seconds before the current time will the jwt be considered valid (to account for inaccurate clocks). Default is 5.


Validity of an access token in seconds, default is 1800 (30 minutes).


Error message when the provided refresh token is non existent, invalid or expired.


The column name in the refresh token table storing the account id, should be a foreign key referencing the accounts table.


The column name in the refresh token keys table storing the deadline after which the refresh token will no longer be valid.


validity of a refresh token. Default is 14 days.


The column name in the refresh token keys table storing the id of each token (the primary key of the table).


Name of the key in the response json holding the refresh token. Default is refresh_token.


The column name in the refresh token keys table holding the refresh token key value.


Name of parameter in which the refresh token is provided when requesting a new token. Default is refresh_token.


Name of the table holding refresh token keys.

Auth Methods


Hooks for specific processing once the refresh token has been set.


Returns the account hash for the given refresh token.


Hooks for specific processing before the refresh token is computed.