undefined | Better HN

0 pointseurasiantiger3y ago0 comments

Do not persist or store access tokens anywhere but in-memory. You can use a session cookie as a refresh token, and use it to get a fresh JWT whenever you need.

0 comments

2 comments · 2 top-level

parker_mountain3y ago

> Do not persist or store access tokens anywhere but in-memory.

Using short lived ATs is one defense against this happening, such as if an attacker compromises one of your services and starts scraping tokens off of it.

Ideally, the services should also have some sort of checks (such as service accounts), to ensure that only approved services can talk to each other.

hknmtt3y ago

using two tokens makes sense only if you have cqrs system. otherwise it's a complexity that brings no value.

j / k navigate · click thread line to collapse