Refresh Token Abuse and Rotation Defenses

Refresh token abuse defenses: rotation, reuse detection, device binding signals, and a concrete response playbook when reuse is detected.

On this page

Why Refresh Tokens Are High Value

If an attacker steals a refresh token, they can mint new access tokens repeatedly. Treat refresh tokens like secrets with lifecycle.

Required Controls

Rotation on every use (one-time use refresh tokens).
Reuse detection: if an old token is used again → likely theft.
Bound context: store device/session metadata (not as a sole factor).
Short refresh TTL + forced re-auth periodically.

Reuse Detection Flow

On refresh:
- if token_id already used:
  - mark session compromised
  - revoke all refresh tokens for user (or that device)
  - require re-auth
  - alert security + log event

Operational Signals

Alert candidates:
- refresh.reuse_detected count > 0
- refresh attempts from new geo/ip for same device id
- refresh failures spike

Runbook

Revoke tokens for affected user/device.
Invalidate sessions and prompt password reset if needed.
Check for account takeover indicators (email change, MFA reset, payouts).

← Token Revocation Strategies (What Actually Works)

API Key Management (Issuance, Rotation, Scoping) →