Refresh token implementation

Hello everyone, I thank you in advance for your patience and for the time you give me.
I’ll explain my problem to you, I’d like to set up a refresh token, because currently, when a user logs in, the lifespan of the token is too long for my taste.

I tried to reduce the token lifetime and set up a refresh token, using the documentation, but I can’t. I show you my config on my dashboard, as well as my code. If anyone has a clue, thank you in advance.

Here is my app.js file

const express = require('express');
const graphqlHTTP = require('express-graphql').graphqlHTTP;
const path = require('path')
const { loadFilesSync } = require('@graphql-tools/load-files')
const {mergeResolvers} = require('@graphql-tools/merge')
const { buildSchema, print } = require('graphql');
const jwt = require('express-jwt');
const checkJwt = require('./middleware/authentication');
const cors = require('cors')
const authConfig = require("./auth_config.json");

const app = express();

if (
    !authConfig.domain ||
    !authConfig.audience ||
    authConfig.audience === "YOUR_API_IDENTIFIER"
) {
        "Exiting: Please make sure that auth_config.json is in place and populated with valid domain and audience values"


app.use(cors({ origin: "http://localhost:3000" }));

// Here we are importing the typeDefs string from
const typeDefs = require('./schema/schema')
const {join} = require("path");
// Here we are using the buildSchema function from graphql to convert the typeDefs string to a schema object
// This is necessary because the graphqlHTTP function only accepts a schema object
const schema = buildSchema(print(typeDefs));

// Here we are importing the resolvers object
const resolversArray = loadFilesSync(path.join(__dirname, './resolvers'))
// Here we are using the mergeResolvers to merge all the resolvers into one object
// This is necessary because the graphqlHTTP function only accepts one rootValue object
const root = mergeResolvers(resolversArray)

app.use('/graphql', checkJwt, graphqlHTTP((req, res, graphQLParams) => ({
    schema: schema,
    rootValue: root,
    graphiql: true,
    context: {
        user: req.user,

app.get("/api/external", checkJwt, (req, res) => {
        msg: "Your access token was successfully validated!",

app.listen(4000, () => {
    console.log('Server running on http://localhost:4000/graphql');

And her is my middleware :

const jwt = require('express-jwt').expressjwt;
const jwksRsa = require('jwks-rsa');
const authConfig = require("../auth_config.json");

const checkJwt = jwt({
    secret: jwksRsa.expressJwtSecret({
        cache: true,
        rateLimit: true,
        jwksRequestsPerMinute: 5,
        // token expiration time
        jwksUri: `https://${authConfig.domain}/.well-known/jwks.json`,

    audience: authConfig.audience,
    issuer: `https://${authConfig.domain}/`,
    algorithms: ['RS256'],

module.exports = checkJwt;

Hello, typically, you want your refresh token expiration to exceed the lifespan of your access and id token.

For example, you can set the access and id token to 24 hours and set the absolute refresh token expiration to 6 months or a year max. Remember that when a user exceeds this time-period, the user will be required to re-authenticate. If your session has a greater lifespan than the refresh token, you can reauthenticate the user against the browser session. If the session is invalid, the user must reenter their credentials.

Also, I see you currently have rotation enabled. You are allowed to disable it because this would require that your app can properly rotate tokens without running into concurrency issues.

I hope this helps.

1 Like

Teamwork makes the dreamwork!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.