Two separate secrets are used — one for access tokens and one for refresh tokens.
This means a compromised refresh secret cannot be used to forge access tokens,
and vice versa.
Access tokens are short-lived (15 minutes) and sent in the Authorization header.
Refresh tokens are long-lived (7 days) and stored as httpOnly cookies.
Description
JWT token signing and verification utilities.
Two separate secrets are used — one for access tokens and one for refresh tokens. This means a compromised refresh secret cannot be used to forge access tokens, and vice versa.
Access tokens are short-lived (15 minutes) and sent in the
Authorizationheader. Refresh tokens are long-lived (7 days) and stored as httpOnly cookies.See
https://jwt.io JWT specification