Skip to content

Refresh token rotation #2071

New issue
New issue
Open
Open
Refresh token rotation#2071
Labels
feature: missingmilestone: missingrole: Missingsize: missing
@geolunalg

Description

@geolunalg
geolunalg
opened on Jan 27, 2026

EPIC: Epic: Authentication & Session Management (JWT + Refresh) #2065

Overview

User Story:
As a security-conscious system, I want refresh tokens rotated so stolen refresh tokens are less useful.

Action Items

Acceptance Criteria:

  • On every successful refresh:
    • backend issues new refresh token and invalidates the previous one (server-side)
    • refresh token cookie is updated
  • If an old refresh token is reused after rotation, backend detects reuse and revokes the session family.

Resources/Instructions

REPLACE THIS TEXT - If there is a website that has documentation that helps with this issue provide the link(s) here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature: missingmilestone: missingrole: Missingsize: missing

    Type

    No type

    Projects

    P: VRMS: Project Board

    Status

    New Issue Approval

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions