Refresh Token
A long-lived credential issued alongside an access token that allows the client to obtain new access tokens without requiring the user to re-authenticate. Refresh tokens must be stored securely, as their compromise grants persistent access. Best practices include refresh token rotation (issuing a new refresh token on each use and invalidating the old one) and binding tokens to client identity to limit their usability if stolen.
โปรโตคอลที่เกี่ยวข้อง
กล่าวถึงในคู่มือ
JSON Web Tokens: Structure, Signing, and Common Pitfalls
Security & Authentication
API Security Checklist: OWASP Top 10 for APIs
Security & Authentication
API Authentication Patterns: Bearer Tokens, API Keys, and Session Cookies
Security & Authentication
Authentication at the API Gateway: JWT Validation, OAuth, and API Keys
API Gateway Patterns
Testing Error Scenarios: Simulating 4xx and 5xx Responses
Testing & Mocking