Title: Access & Refresh Tokens with Rotation
Date: 2025-12-23
Status: Accepted
Context: Go pet-project, implementing authentication with tokens.
Use two types of tokens:
Refresh Token Rotation:
Login flow:
Storage:
Refresh tokens are stored hashed in the database.
Access tokens are not stored.
Minimal fields for refresh token:
UserID
TokenHash
ExpiresAt
RevokedAt
Security considerations:
sequenceDiagram
participant Client
participant Server
Note over Client,Server: Login
Client->>Server: POST /auth/login (credentials)
Server-->>Client: access_token + refresh_token
Note over Client,Server: Normal API usage
Client->>Server: GET /api/tasks (Bearer access_token)
Server-->>Client: 200 OK
Note over Client,Server: Token expired
Client->>Server: GET /api/tasks (expired access_token)
Server-->>Client: 401 Unauthorized
Note over Client,Server: Refresh flow
Client->>Server: POST /auth/refresh (refresh_token)
activate Server
Server->>Server: Validate refresh token
Server->>Server: Revoke old refresh token
Server->>Server: Issue new token pair
deactivate Server
Server-->>Client: access_token + refresh_token
Note over Client,Server: Continue with new tokens
Client->>Server: GET /api/tasks (Bearer new access_token)
Server-->>Client: 200 OK