NorthwindNorthwind
← All posts
securityauthbackend

Securing Our API with Short-Lived JWTs

Long-lived tokens are a liability. We moved to 10-minute access tokens with rotating refresh tokens — here is the tradeoff.

Lena Novak · 1 min read
Share

A leaked token that's valid for 30 days is a 30-day breach. We cut access-token lifetime to 10 minutes and paired it with rotating refresh tokens.

The shape

  • Access token: 10 minutes, stateless, carries scopes.
  • Refresh token: rotated on every use, stored hashed, revocable.
// Verify with a tight clock skew and an explicit algorithm allow-list
jwt.verify(token, publicKey, { algorithms: ["RS256"], clockTolerance: 5 });
Never accept the alg from the token header. Pin it server-side or you invite the classic alg: none forgery.

The cost is more refresh traffic. The benefit is that a stolen access token is nearly worthless in ten minutes.

Share

More to read

Related posts

Rate Limiting with a Token BucketFebruary 18, 2026 · 1 min read
Sanitizer Probe (should render safely)June 5, 2026 · 1 min read
Cutting Our P99 Latency in Half with Connection PoolingJune 2, 2026 · 2 min read