JWT Handler

Overview

Implements secure JWT token lifecycle for web applications — generation, validation, refresh rotation, revocation, and debugging. Produces code that follows current security best practices including short-lived access tokens, one-time refresh rotation with family tracking, and proper key management.

Instructions

Token Generation

When creating JWT tokens:

1. Access token: Short-lived (15 min), contains user ID and roles, signed with RS256 or ES256
2. Refresh token: Longer-lived (7-30 days), opaque or JWT, stored hashed in database
3. Always use asymmetric signing (RS256/ES256) for production — allows verification without the private key
4. Minimal payload: user ID, roles, issued-at, expiration. No PII, no secrets.

// Access token payload — keep it minimal