Context (P1 — security)
A single 24h JWT (app.jwt.expiration-ms=86400000) is a long blast radius with no revocation path.
Scope
- Refresh token entity (opaque random token, hashed at rest, per-device row, expiry ~14d) + rotation on use with reuse detection
POST /api/v1/auth/refresh + POST /api/v1/auth/logout (revokes the family)
- Drop access-token TTL to ~15min (configurable)
- Liquibase changeset for the refresh_token table
Acceptance criteria
Context (P1 — security)
A single 24h JWT (
app.jwt.expiration-ms=86400000) is a long blast radius with no revocation path.Scope
POST /api/v1/auth/refresh+POST /api/v1/auth/logout(revokes the family)Acceptance criteria