The method used to login has changed from using a token that does not expire for a long time to using two tokens that must be refreshed. The reason for this change is to improve the security when logging on and off.
There are now two types of JWT:
- Access token: A token which allows a user to access allowed APIs endpoint.
This token has a default lifespan of 30 minutes, which means after this duration the JWT token will no longer be valid, and a new one must be issued. You cannot create another access token by using the first one. This is normally exposed in log files and browser history, because it is passed as a URL parameter.
- Refresh token: A token which has a long life (by default 7 days) is used to create new access tokens.
The refresh token cannot be used to perform authenticated requests though: it is only used is to obtain new access tokens whenever needed. This token must only be passed through POST request, and must not be passed through URL parameter.
Furthermore, a refresh token can be refreshable or not, this will depend on how the instance is setup. When a refresh token is refreshable, it will be possible to obtain a new refresh token using an about-to-expire refresh token. Contrary to a refresh token that is not refreshable, when you inevitably logout at some point, since the refresh token will expire and will no longer be valid for retrieving more access tokens. To get a new access and refresh token pair login again.