oppi.li
1# Auth
2
3The auth system uses two tokens, an access token and a refresh token.
4
5The access token is a jwt with the following values:
6```
7scope: "com.atproto.access"
8sub: <the users DID>
9iat: the current time, in unix epoch seconds
10exp: the expiry date, usually around an hour, but at least 15 minutes
11```
12
13The refresh token is a jwt with the following values:
14```
15scope: "com.atproto.refresh"
16sub: <the users DID>
17iat: the current time, in unix epoch seconds
18exp: the expiry date, usually around a week, must be significantly longer than the access token
19jti: a unique identifier for this token
20```
21
22The access token is what is used for all requests, however since it expires
23quickly, it must be refreshed periodically using the refresh token.
24When the refresh token is used, it must be marked as deleted, and the new token then replaces it.
25Note: The old access token is not necessarily disabled at that point of refreshing.
26