JWT Handler

Overview

Implements secure JWT token lifecycle for web applications — generation, validation, refresh rotation, revocation, and debugging. Produces code that follows current security best practices including short-lived access tokens, one-time refresh rotation with family tracking, and proper key management.

Instructions

Token Generation

When creating JWT tokens:

Access token: Short-lived (15 min), contains user ID and roles, signed with RS256 or ES256
Refresh token: Longer-lived (7-30 days), opaque or JWT, stored hashed in database
Always use asymmetric signing (RS256/ES256) for production — allows verification without the private key
Minimal payload: user ID, roles, issued-at, expiration. No PII, no secrets.

// Access token payload — keep it minimal
{
  sub: "user_abc123",
  roles: ["member"],
  iat: 1708185600,
  exp: 1708186500  // 15 minutes
}

Refresh Token Rotation

Implement one-time rotation with reuse detection:

Each refresh token belongs to a "family" (first token in chain)
On refresh: invalidate old token, issue new access + refresh pair
If a revoked token is presented → revoke ALL tokens in that family (theft detected)
Store in database: token_hash, family_id, user_id, expires_at, revoked_at

Token Validation Middleware

1. Extract token from Authorization header (Bearer scheme)
2. Verify signature using public key
3. Check expiration (exp claim)
4. Check issuer and audience if configured
5. Attach decoded payload to request context
6. Return 401 with specific error: expired, invalid, missing

Key Management

Generate RSA 2048+ or EC P-256 key pairs
Store private key in environment variable or secrets manager
Expose public key via /.well-known/jwks.json endpoint
Support key rotation: include key ID (kid) in token header

Examples

Example 1: Node.js Token Service

Prompt: "Create a JWT token service with refresh rotation for my Express app"

Output:

// token.service.ts
import jwt from 'jsonwebtoken';
import crypto from 'crypto';

export class TokenService {
  generateAccessToken(user: User): string {
    return jwt.sign(
      { sub: user.id, roles: user.roles },
      process.env.JWT_PRIVATE_KEY,
      { algorithm: 'RS256', expiresIn: '15m', issuer: 'app' }
    );
  }

  async generateRefreshToken(userId: string, familyId?: string): Promise<string> {
    const token = crypto.randomBytes(32).toString('hex');
    const hash = crypto.createHash('sha256').update(token).digest('hex');
    await db.refreshTokens.create({
      tokenHash: hash,
      userId,
      familyId: familyId || crypto.randomUUID(),
      expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000),
    });
    return token;
  }

  async rotateRefreshToken(oldToken: string) {
    const hash = crypto.createHash('sha256').update(oldToken).digest('hex');
    const stored = await db.refreshTokens.findByHash(hash);

    if (!stored || stored.revokedAt) {
      // Reuse detected — revoke entire family
      if (stored) await db.refreshTokens.revokeFamily(stored.familyId);
      throw new TokenReuseError();
    }

    await db.refreshTokens.revoke(stored.id);
    const newRefresh = await this.generateRefreshToken(stored.userId, stored.familyId);
    const user = await db.users.findById(stored.userId);
    const newAccess = this.generateAccessToken(user);
    return { accessToken: newAccess, refreshToken: newRefresh };
  }
}

Example 2: Debug a JWT Token

Prompt: "This JWT isn't working, can you decode it? eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VyXzEyMyIsImV4cCI6MTcwODE4NTYwMH0.abc..."