Hi @rp_st For refreshing the session , I am able to use the same refresh token multiple times for getting new access token if I pass that as Authorization header Whereas if I pass same refresh token twice as cookie then it says Token theft detected and on third time it says : Unauthorized Can you please tell why the flow differs in both cases that is Authorziation header and cookie ?

hey @krrishan it should not make a difference. In general, you can continue to use a refresh token multiple times, until you use the new access / refresh token at least one. After which, the old refresh token will not work anymore. When doing the test, double check that in cookie based, the only token you are sending is the refresh token cookie and not the access token cookie

I already checked that So there should be same flow right from Auth header and cookie based But there seems a issue

It is the same flow

curl --location --globoff --request POST '{{host}}/core/api/v1/auth/session/refresh' \ --header 'rid: session' \ --header 'Cookie: sRefreshToken=xI2iqzfXTzwAIKAxkDNwOh1bXJ2RHNq/tEUozygBwuFD3f+2poQzHTidIaO8s8KHUI1oOktde2Vdc5PZYLC0l1XaiMrc7ugZIcodXm1ruk2gWL4tuhO+m/Kzza6ntA0xSUWdf5fTDye3iFrqp9mSWKy86S+Ddnn3Gww07btQdgb+ohxmIkm5l/I6Plg0Y3JpUpdGOK6FSlwqOVqAh9AOzmamFCnoWX87l7RUuN6Jd4eD/WFiXsrPBtDnDgwzTcjEVddFlY9o9a4WJBg5NpZK.829d4375d60698fe06f11f4f3047b0fcb6052eeb3d700808e29e856336ee2462.V2'

Now can you copy the cookie curl on the terminal and run it multiple times?

On second time I get token theft detected

Using the same refresh token? Do you how any customisations in the refresh api?

yes

What are the customisations?

If you remove these customisations and try, to make the curl calls, what happens?

The cookie flow is fine I guess Using same refresh token should give the error But why it is not happening when we share it as Auth Header

Using the same refresh token should not give the error, unless the new access token has been used at least once

Ok

I have no idea what u mean. Sorry

In first time getting access token and refresh token as response header

Can u make a video explaining the issue?

Sure

Please use curl command only in the video.

curl --location --request POST 'http://localhost:3331/core/api/v1/auth/session/refresh' \ --header 'rid: session' \ --header 'Cookie: sRefreshToken=BaQZ5b6skJSajS+CNH7dMWo8fRWkydYqB5OBQ5P7V73C/vq9ZrwmzSeZ7NUckhsOasle7A8K7y5WjVetd46sMYroT8gf/tWVX5/lumVCNSRe0gQCazF2sxqPTOR5Rq896HTwYN1iLx+5L27VOULKDsl7SbA91q6VckAnvUIwhm3hLY1wx0eMVKsaqb62HxJJ8sfdkO4waDmtrY+2S8EQXXwpZOKeMQB/Zj8vU/ha5jCKtxwwQPh/5bDkwV9feiRscuN94Y6Bz4v1mrSqwsCb.9bbada6773de8745d4de2c59bb997a7cdc8f1a1a908dc8b0ab9095d5217a5b3d.V2'

please check the video.

I have attached the video Steps taken : 1. Generated a new access token and refresh token by login 2. Called refresh session api by using generated refresh token in step 1 => got new access token and refresh token 3. re called the same refresh session api without any change => response : token theft detected

please see the video...

Sorry for inconvience Sending another video

can you just try it using curl?

It is the same curl which is shared with you

Try it on our demo app?

In demo app on UI the refresh token is automatically updated with a new one

I am using the older one

Can you share me the curl or the link that you are using ? I could not find in docs

You can see it from chrome network tab. Google it.