Function: createRefreshRotation()
createRefreshRotation(
options):RefreshRotation
Defined in: refreshTokenRotation.ts:113
Builds a backend-agnostic refresh-token rotation engine on top of a RefreshTokenStore. It implements the OAuth 2.1 rotation mechanics that are easy to get wrong by hand:
- Single use — a refresh token is consumed (marked rotated) the first
time it is exchanged; a new one is minted by your
issueTokenshook. - Reuse detection — presenting an already-consumed token signals theft or replay, so the owner's entire token set is revoked, forcing re-auth.
- Expiry — tokens past their TTL are rejected and swept on access.
- Scope narrowing — a refresh request may request a subset of the granted scopes; requesting a superset is rejected.
The "owner" of a token is the (clientId, subject) pair, which is the unit
revoked on reuse. Plaintext tokens are never persisted — only their hash.
Parameters
| Parameter | Type |
|---|---|
options | RefreshRotationOptions |
Returns
Example
const refresh = createRefreshRotation({ store });
createOAuthHandlers({
// …,
issueTokens: async ({ subject, scopes, client }) => ({
accessToken: signJwt({ sub: subject, scope: scopes.join(' ') }),
refreshToken: await refresh.issue({ client, subject, scopes }),
expiresIn: 3600,
}),
onRefreshToken: refresh.onRefreshToken,
});