This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.
This is just a proposal so far, it hasn't been accepted and needs further discussion.
When issuing tokens using a refresh token, we need to decide where we get the payloads and lifetimes from.
- Token payloads and lifetimes are regenerated on the BE for refresh
- They are re-used from when the tokens where first issued
Chosen option: Token payloads and lifetimes are regenerated on the BE for refresh
- Refreshing ensures fresh information
- Simple to explain: the token is always built using the same callbacks
As a sub-decision, we've discussed adding an endpoint on the core to load the information needed for these callbacks vs adding them into the token (kind of like a JWT):
- Making it a JWT would make the token much bigger
- The overhead of the extra call shouldn't matter too much, since this is not an often used operation (e.g.: 1/hr/user)
- Parsing the JWT would complicate things unnecessarily