How is the sIdRefreshToken used? Is it essential? Docs don’t give much detail

Hey! This is used by the verifySession function to know if a session exists or not in case the access token is missing (since that might have expired). If the sIdRefreshToken is there, the session does exist, in which case the function will return a try_refresh_token exception, else it will return an unauthorised exception. The lifetime of the sIdRefreshToken == lifetime of refresh token. So if sIdRefreshToken is not there, it means the session is not there.

Thank you. That’s clear

It will give unauthorised

Refresh token will also require sIdRefreshToken?

yes

I’m having to switch from cookies to retuning the tokens in the response bodies.

Ohh I see

Several developers on the fe web and mobile apps much prefer tokens from confirm step and refresh token step to be in the response body.

Hmmm i see.

The local storage example was a good starting point, but that also returns them in a header. Returning the tokens in the Json payload is a bit more hassle

Fair enough. Also, the verifySession may change the access token as well. So if that happens, you need to return the new access token to the frontend

Ok thanks. I didn’t realise that. I assumed only refresh token did that.

verify does that whenever: - The user update the access token payload in their API; OR - The first verifySession call after a refresh token call changes the access token too

Does this mean that refresh tokens get extended on all api requests ?

nope