Comment on page
Types of tokens used by Passage and how to secure them.
Passage uses two types of tokens: auth tokens and refresh tokens. Let's talk about what they are and how to make sure they are used securely.
Auth tokens are automatically configured for your application when it is created. These tokens are JWTs, which are signed by Passage and verified by your web server to confirm the user is logged in. You can configure the session expiration time in the Passage Console.
The primary downside to using JWTs for session tokens is that you can not revoke a JWT - it is valid until the expiration time. The benefit here is that verification of the token can be done offline, which makes it a great fit for using a 3rd party service like Passage.
To mitigate some of this risk, Passage support refresh tokens which can be turned on for any application. Refresh tokens are long lived tokens that can be used to "refresh" a session and can be revoked. A typical app configuration would look like this: refresh tokens are enabled with the maximum session length you want to allow (say 24 hours). Then you set the auth token expiration to something short (say 1 minute). Both of these tokens are stored client side and when auth token expires, the client will check with Passage to see if the refresh token is still valid. If it is, a new auth token will be issued. If not, the user is logged out. If you use the Passage User class or an Element, this will be automatically handled for you.