JWT Introduction

The method used to log in has changed as of August 25th, 2022 from using a token that does not expire for a long time to using two tokens that must be refreshed. The reason for this change is to improve the security when logging on and off.

There are now two types of JWT:

• Access token: A token that allows a user to access an allowed APIs endpoint.

  This token has a default lifespan of 30 minutes, which means after this duration the JWT token will no longer be valid, and a new one must be issued. You cannot create another access token by using the first one. This is normally exposed in log files and browser history because it is passed as a URL parameter.

• Refresh token: A token that has a long life (by default 7 days) is used to create new access tokens.

  The refresh token cannot be used to perform authenticated requests though: it is only used is to obtain new access tokens whenever needed. This token must only be passed through POST request, and must not be passed through URL parameter.

Furthermore, a refresh token can be refreshable or not, this will depend on how the instance is set up. When a refresh token is refreshable, it will be possible to obtain a new refresh token using an about-to-expire refresh token. Contrary to a refresh token that is not refreshable, when you inevitably log out at some point, the refresh token will expire and will no longer be valid for retrieving more access tokens. To get new access and refresh the token pair, log in again.