Automatically renewing the refresh token

Currently there’s support to have the Client. AutoRefreshSession but that only refreshes the session token, so if the refresh token has expired those calls will fail.

What would the best strategy there? And if the session token can have an expiry date of something like 1-7 days, what’s a good value for the refresh token? 30 days? I’m think we could re-authenticate every ~15 days and have the refresh token expiry after 30 days. Something like that. But would be glad to get some light shined on what the best practise is. It’s apparently a common thing to have these two tokens but new to me.

Thanks!

Hi @NixarnTowerPop,

We typically recommend a session token expiry time that equals 2-3 times your game’s average play session.

As for refresh tokens, these are typically longer lived but the exact configuration depends entirely on your needs.

Please see our session documentation and specifically our session management documentation for more information. You may also want to have a read up on refresh tokens and how they’re used to see how they fit into your requirements.

Generally, you use the refresh token to refresh an expired session without requiring the user to re-authenticate. Once both the session and refresh token have expired you should re-authenticate the user again using their credentials.

Hi! What about Refresh token rotation technique from this doc? What Are Refresh Tokens and How to Use Them Securely

I’ve make PR for this feature Add refresh token rotation feature by formatCvt · Pull Request #1051 · heroiclabs/nakama · GitHub

i’ve found possible security issue also, i will send email to support with details