I've read a lot of articles and Github issues regarding this but I'm not sure what the best solution is. For context I have a laravel API that, on authentication, issues a JWT with a one hour life. When the first API request is made after that hour period the API returns a 401 token expiry error. As far as I can tell there are two ways to handle refreshing that token;
Item 2 sounds unnecessarily complicated because you would have to intercept and queue any requests from the client. Which way is this best handled?
- In the API when receiving a token, if it has expired but we are within the refresh ttl, refresh that token, continue the request as normal and return the new token in a header
The first one make more sense and easier than the second one as you don't have to store the requests if the token was expired and you don't have to wait for the 401 response to replay those API requests which is not good for UX.
Another way of doing that is to create a popup and let user choose whether they want to get new token or not.