Wiki πŸ” Search
QIIUB

How token security works

The plain-English version β€” no jargon. If you can picture a hotel, you already understand it.

A web app has a problem: after you log in, how does it remember it's you on every click β€” without asking for your password again, and without letting a thief pretend to be you?

🏨 Think of a hotel. You prove who you are once at the front desk, and you get a keycard. The keycard opens your room for the rest of your stay β€” but it's designed so that if someone copies it, the hotel notices. That's exactly how token security works.

🎭 The cast

Four characters. Each has a plain name and a real technical name.

πŸ›ŽοΈ

The front desk

Checks your ID once and hands out keycards. Also the only one who can look up who you are.

The API / auth server
πŸͺͺ

Your ID

You show it once at check-in β€” your email + Microsoft/Google login or a magic link. Never shown again.

Login (OAuth / magic link)
πŸ’³

The keycard

Opens doors for a short time (15 min). You carry it in your pocket. If lost, it expires fast.

Access token (JWT), in memory
🎟️

The renewal ticket

Kept in the hotel safe β€” you can't take it out or even see it. It's used behind the scenes to print you a fresh keycard.

Refresh token (HttpOnly cookie)

πŸ—ΊοΈ The whole flow, step by step

πŸͺͺ

Check in (log in)

You show your ID once. The front desk verifies it and prepares your stay.

Magic link or Microsoft/Google β†’ the API confirms your identity.
πŸ’³πŸŽŸοΈ

Get a keycard + a renewal ticket

You pocket the keycard (works 15 min). The renewal ticket goes straight into the hotel safe β€” you never touch it.

JWT returned to the app (memory); refresh token set as an HttpOnly cookie the browser stores but JS can't read.
πŸšͺ

Open doors

Every door you open, you tap the keycard. Fast, no password.

Each API call sends Authorization: Bearer <JWT>.
πŸ”„

Silent renewal (before it expires)

Just before your keycard stops working, the system quietly walks to the safe, uses the renewal ticket, and prints you a fresh keycard β€” you don't notice a thing.

The app calls /auth/refresh; the old refresh token is swapped for a new one (rotation).
πŸ•΅οΈ

Each ticket is single-use β€” copies get caught

Every renewal ticket works once. If two people ever show up with the same ticket, the front desk knows one is a thief and cancels the whole room immediately.

Refresh rotation + reuse detection: reusing a rotated token revokes the entire session chain.
⏰

β€œStill there?” (idle timeout)

If you don't move for 30 minutes, a little notice pops up: β€œStill around? Staying?” β€” click Stay and you're good; ignore it and you're signed out.

Idle timer β†’ the SessionWarningDialog with a 2-minute countdown.
πŸšͺπŸ”’

Checkout time (absolute cap)

No matter how many renewals, there's a hard checkout β€” after the max stay you check in again. Keeps a forgotten session from living forever.

Absolute session cap (e.g. 8h). No refresh succeeds past it.
πŸŒ™

Close the app and come back later

The renewal ticket stays in the safe even after you close everything. Come back soon and you're waved right back in. Come back much later (say, the next morning) and you check in again β€” on purpose, because this app handles money.

Refresh cookie is persistent, but the 30-min sliding window decides: reopen within it β†’ auto signed-in; past it β†’ re-login. An optional β€œRemember me” can widen that window on trusted devices.

πŸ›‘οΈ Why this is safe

πŸ”’ The ticket stays in the safe

The renewal ticket (refresh token) is locked in the browser where scripts can't reach it. Even a malicious script on the page can't steal it.

⏱️ The keycard dies fast

A lost keycard (JWT) only works 15 minutes β€” and it can't be turned into a lasting copy without the safe's ticket.

πŸ•΅οΈ Copies trip the alarm

Single-use renewal + reuse detection means a copied session gets the whole chain revoked the moment it's replayed.

πŸ“‘ Nothing travels in the clear

Everything is over HTTPS, and the ticket refuses to be sent along on requests coming from other websites.

πŸ“‡ Cheat sheet

Plain nameReal termWhat it does
πŸ›ŽοΈFront deskAPI / auth serverVerifies identity, issues tokens
πŸͺͺShowing your IDLogin (OAuth / magic link)Prove who you are β€” once
πŸ’³KeycardAccess token (JWT)Opens doors for 15 min; kept in memory
🎟️Renewal ticket in the safeRefresh token (HttpOnly cookie)Prints fresh keycards; JS can't read it
πŸ”„Quiet keycard swapRefresh rotationNew token every renewal
πŸ•΅οΈSame-ticket alarmReuse detectionRevokes the whole session if copied
🎫Anti-forgery stampCSRF nonce (SameSite)Blocks other websites from acting as you
β°β€œStill there?”Idle timeout + warningSigns out after inactivity
πŸšͺπŸ”’Checkout timeAbsolute capHard limit on how long a stay can last