The resulting token is stored as a database record and set as an
httpOnly, Secure, SameSite=Strict cookie — inaccessible to JavaScript
and automatically sent by the browser on requests to /api/auth/refresh.
Refresh tokens are rotated on every use — the old token is deleted and a
new one issued, limiting the window of exposure if a token is stolen.
Signs a long-lived refresh token (7 days).
The resulting token is stored as a database record and set as an
httpOnly,Secure,SameSite=Strictcookie — inaccessible to JavaScript and automatically sent by the browser on requests to/api/auth/refresh.Refresh tokens are rotated on every use — the old token is deleted and a new one issued, limiting the window of exposure if a token is stolen.