JWT Refresh Race Conditions FAQ & Answers

When multiple simultaneous requests detect expired access token, they all race to call /refresh endpoint. Both see old refresh token as valid and receive new tokens from server, but only the last response is valid server-side. Stale revoked token overwrites client storage, causing next request to fail with invalid token. User gets logged out unexpectedly. Common trigger: Multiple tabs, parallel API calls, or mobile app background sync all hitting expired token simultaneously.

Subtract 30-60 seconds from refresh token cookie expiry before setting it (2025 best practice reduced from earlier 2-minute recommendations). Browser stops sending cookie before server considers token expired, preventing race condition retries with stale tokens. Pattern: const expiresAt = Date.now() + (7 * 24 * 60 * 60 * 1000); res.cookie('refresh_token', token, { expires: new Date(expiresAt - 30000), httpOnly: true, secure: true, sameSite: 'strict' }). This 30-second buffer prevents races where losing request arrives after cookie dropped. Must combine with httpOnly, Secure, SameSite flags per Auth0 2025 guidance. Simplest defense layer but insufficient alone - combine with client-side locking for production. Best for high-latency networks (use 60s buffer). Works with httpOnly cookies only to prevent XSS token theft.

Use a shared promise that racing requests wait for instead of starting duplicate refreshes. Pattern: this.refreshPromise ||= this.refreshToken().finally(() => this.refreshPromise = null). When first request starts refresh, it stores promise. Other requests check if refreshPromise exists - if yes, await it instead of calling /refresh again. After completion, clear promise for next refresh cycle. This is the most reliable solution. Prevents duplicate /refresh calls at source. Works for web and mobile apps.

Cache refresh results in Redis with 1-second TTL. Pattern: const cached = await redis.get(refresh:${oldToken}); if (cached) return JSON.parse(cached); const newTokens = await generateTokens(); await redis.setex(refresh:${oldToken}, 1, JSON.stringify(newTokens)). Racing requests within 1 second window find cached result and return it, avoiding token rotation conflicts. Use as defense-in-depth with client-side locking. Short TTL prevents stale tokens from being reused. Adds 2-5ms latency but prevents user logouts.

Each refresh generates new tokens and invalidates old refresh token. If server receives already-used refresh token, it detects reuse and invalidates entire token family for security. Pattern: Store token family ID in DB, mark tokens as used when refreshed. If used token arrives, invalidate all tokens in that family. Prevents: stolen token reuse, race condition exploitation. Protects: against token theft, forces re-authentication on compromise. Trade-off: Legitimate race conditions cause logout, so must combine with client-side locking.

Client-side locking (shared promise pattern) is most reliable. Prevents races at source, works for all request types, no server changes needed, zero latency overhead. Pattern: this.refreshPromise ||= this.refreshToken().finally(() => this.refreshPromise = null). For defense in depth, combine with: (1) Cookie expiry delta (2-min buffer), (2) Server-side Redis cache (1s TTL), (3) Reuse detection (security). Order of implementation: Start with client locking (solves 95%), add Redis for remaining edge cases, add reuse detection for security.

1 second is optimal for JWT refresh result caching. Short enough to prevent stale tokens, long enough to catch racing requests. Pattern: redis.setex(refresh:${token}, 1, JSON.stringify(result)). Longer TTL risks serving revoked tokens, shorter TTL misses races. Racing requests typically arrive within 100-500ms. 1-second window catches 99% of races with minimal staleness risk. Don't cache longer than 2 seconds - security risk if token is compromised. Monitor cache hit rate: >10% means races are occurring.

Yes, use defense in depth: (1) Client-side locking (primary defense, prevents 95% of races), (2) Redis caching (catches stragglers within 1s), (3) Reuse detection (security against token theft). Don't rely on single method. Client-side locking might fail on network issues, Redis helps. Reuse detection protects against attacks but can cause false positives without locking. Pattern: Implement client locking first (biggest impact), add Redis for production hardening, implement reuse detection for security compliance. Each layer adds <5ms latency but prevents user logouts.