Knowledge Guide
HomeSystem DesignAPI Gateway

hard Token Revocation and Refresh Rotation

Token Revocation & Refresh-Token Rotation at the Edge

Validating JWTs at the edge, locally (verify the signature against cached JWKS, no network call) is what makes a gateway fast — but it creates one hard problem: a locally-validated token is trusted until it expires, so the edge cannot know a token was revoked (logout, compromise, role change). The mechanism that resolves this is not "check every token against a server" (that throws away the speed win) — it is short-lived access tokens + a rotating refresh token, so revocation is enforced at the one place a network check is acceptable: the refresh.

How revocation actually propagates

Timeline of edge JWT validation: short-lived access token (revocation window = its TTL) plus refresh at the authz server as the enforcement choke point; and refresh-token rotation where replay of a used refresh token triggers revoking the whole token family.
Timeline of edge JWT validation: short-lived access token (revocation window = its TTL) plus refresh at the authz server as the enforcement choke point; and refresh-token rotation where replay of a used refresh token triggers revoking the whole token family.

Refresh-token rotation + reuse detection

A long-lived refresh token is a juicy theft target, so the modern pattern is: rotate it on every use. Each time a refresh token RT_n is redeemed, the server issues a new access token and a new refresh token RT_(n+1), and invalidates RT_n. Because a valid refresh token is now single-use, seeing an already-used refresh token again means it was stolen (the attacker and the legit client now hold copies). The server's response is to revoke the entire token family — every token descended from that session — logging out both parties. Losing the legit user's session is the correct, safe default when theft is detected.

Traced example

  1. Login → access AT (5 min) + refresh RT_1.
  2. RT_1 redeemed → issue AT + RT_2; mark RT_1 used.
  3. RT_2 redeemed → issue AT + RT_3.
  4. Attacker replays the stolen RT_1 → server sees a used token reused → revoke the whole family (RT_1..RT_3). Both sessions die; the user re-authenticates.

Selection & trade-offs

Pitfalls

Takeaways


Re-authored and deepened for this guide, per the OAuth 2.0 Security BCP (draft-ietf-oauth-security-topics) for refresh-token rotation / reuse-detection, and RFC 6749 for the base flow and edge JWT-validation patterns. Re-authored/Deepened for this guide.

🤖 Don't fully get this? Learn it with Claude

Stuck on Token Revocation and Refresh Rotation? Open Claude, copy a block below, and it'll teach you this exact concept — visually and interactively.

🎨 Explain it visually

Build the mental picture, not memorization.

I just read a lesson on **Token Revocation and Refresh Rotation** (System Design) and want to truly understand it. Explain Token Revocation and Refresh Rotation from first principles using ONE vivid real-world analogy and a visual mental model — draw it as ASCII art or a clear step-by-step diagram — with a concrete example using real numbers. Then ask me one question to check I got the mental picture, and wait for my reply. If you're unsure or a claim isn't standard, say so and reason from first principles instead of guessing.
🤔 Walk me through it (interactive)

Socratic — adapts to where you're stuck.

Teach me **Token Revocation and Refresh Rotation** interactively. Ask me ONE guiding question at a time, wait for my answer, and adapt to my confusion — build the idea with me step by step instead of explaining it all at once. If you're unsure or a claim isn't standard, say so and reason from first principles instead of guessing.
🧪 Quiz me & fix my gaps

Active recall exposes what you missed.

Quiz me on **Token Revocation and Refresh Rotation** with 5 questions, easy to tricky, ONE at a time. Tell me if each answer is right; at the end, explain clearly what I got wrong and why. If you're unsure or a claim isn't standard, say so and reason from first principles instead of guessing.
🧠 Make it stick

Intuition + hook + flashcards for long-term memory.

Help me remember **Token Revocation and Refresh Rotation** for the long term: give the one-sentence intuition, a memorable hook/mnemonic, a tiny worked example, and 3 active-recall flashcards (Q -> A). If you're unsure or a claim isn't standard, say so and reason from first principles instead of guessing.

📝 My notes