I've read a lot of articles and Github issues regarding this but I'm not sure what the best solution is. For context I have a laravel API that, on authentication, issues a JWT with a one hour life. When the first API request is made after that hour period the API returns a 401 token expiry error. As far as I can tell there are two ways to handle refreshing that token;
- In the API when receiving a token, if it has expired but we are within the refresh ttl, refresh that token, continue the request as normal and return the new token in a header
- In the client, when a 401 response is returned with an expiry code, make a request to an API endpoint with the old token, have the API refresh and return a new token, then replay any pending API requests.
Item 2 sounds unnecessarily complicated because you would have to intercept and queue any requests from the client. Which way is this best handled?