Skip to main content
important

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Token payloads and lifetimes are regenerated on the BE for refresh

Status

This is just a proposal so far, it hasn't been accepted and needs further discussion.

Status:
proposed
Deciders:
rishabhpoddar, porcellus
Proposed by:
porcellus
Created:
2023-05-11

Context and Problem Statement#

When issuing tokens using a refresh token, we need to decide where we get the payloads and lifetimes from.

Considered Options#

  • Token payloads and lifetimes are regenerated on the BE for refresh
  • They are re-used from when the tokens where first issued

Decision Outcome#

Chosen option: Token payloads and lifetimes are regenerated on the BE for refresh

  • Refreshing ensures fresh information
  • Simple to explain: the token is always built using the same callbacks

As a sub-decision, we've discussed adding an endpoint on the core to load the information needed for these callbacks vs adding them into the token (kind of like a JWT):

  • Making it a JWT would make the token much bigger
  • The overhead of the extra call shouldn't matter too much, since this is not an often used operation (e.g.: 1/hr/user)
  • Parsing the JWT would complicate things unnecessarily

Pros and Cons of the Options#

Token payloads and lifetimes are regenerated on the BE for refresh#

  • Refreshing ensures that the information in the tokens is fresh as well
  • The token payloads and lifetimes are always controlled by the same callbacks on the BE
  • Requires an additional endpoint and a multiple step process to refresh tokens
  • Some information could be safely re-used from the old payload, but we are re-getting them anyway
  • They are re-used from when the tokens where first issued#

  • The tokens can contain stale information