JWT Refresh Token Rotation in Node.js: The Complete Implementation

If your app uses JWTs and you're storing a single long-lived token, you have a security hole. A leaked token gives an attacker access for hours or days, and you can't revoke it without server-side state -- which defeats the purpose of JWTs in the first place. Refresh token rotation solves this cleanly. Short-lived access tokens handle authorization. Long-lived refresh tokens handle re-authentication. And each refresh token can only be used once -- if it's ever reused, you know it was stolen. Here's how to implement it properly with Fastify and Prisma. The Token Lifecycle The flow works like this: User logs in -- server issues an access token (15 min) and a refresh token (7 days) Access token expires -- client sends refresh token to get a new pair Server verifies the refresh token, invalidates it , and issues a fresh pair If a refresh token is used twice -- revoke the entire family That last point is critical. If an attacker steals a refresh token and uses it before the legitimate user