← All Articles

OAuth Refresh Token Rotation for Public Clients

Secure token lifecycle patterns for mobile and SPA apps with refresh rotation, reuse detection, and compromise-aware session revocation.

Public clients cannot protect long-lived secrets. Rotation and reuse detection are non-negotiable.

Core Controls

  1. PKCE for authorization code flow.
  2. Short-lived access tokens.
  3. One-time-use refresh tokens.
{
  "access_token_ttl": 900,
  "refresh_rotation": true,
  "reuse_detection": true
}

Design the token lifecycle assuming compromise, not best behavior.

Next ArticleRedis Streams Job Recovery with Claim LoopsInfrastructure · 12 min read