Problem Statement
How would you design token storage and rotation for a single page app and API?
Explanation
Keep access tokens short lived. Store them in memory, not in URL or localStorage if you can avoid it. Use refresh tokens with rotation on a secure path that uses same site cookies. Each refresh returns a new refresh token and invalidates the old one.
Bind tokens to the client context where possible, log refresh events, and revoke on logout or suspicion. This balances user experience with safety.
Code Solution
SolutionRead Only
Access: 5–15 min Refresh: httpOnly, SameSite, rotated on use Revoke: server side blacklist or version field
