Is the "refresh token family" shared across browser tabs?

Hello,

If you’re using the default in memory cache location, tokens are not persisted across tabs or page refreshes.

So when we reload the page or open the site on a new tab, the user is given a new access token and refresh token.

My question is: are all these refresh tokens (across the tabs) under the same token family?

I’m looking at the refresh token value, and I can see that there’s a prefix before each one e.g. “v1.”.

Is the “v1.” the “family” that these tokens are under?

Thanks!

1 Like

Hello @its.kevin!

The token family consists of the original access tokens and refresh tokens as well as all the following tokens that are exchanged. If you start with AT1(Access Token 1) and RT1(Refresh Token 1), once AT1 expires and you use RT1 to get AT2 and RT2, AT2 and RT2 are added to the same family as AT1 and RT1.

Here is some documentationt describing the Refresh Token Rotation, please give it a read.

If you keep getting new AT1 and RT1, they should not be part of the same family.

I hope this helps!

Best,
Alex