How to refresh JWT tokens in Node.js

Friday, November 28, 2025

#nodejs #jwt #refresh-token #security #authentication

Implementing JWT token refresh enhances security by using short-lived access tokens paired with longer-lived refresh tokens for automatic renewal. As the creator of CoreUI with extensive Node.js authentication experience since 2014, I’ve implemented token refresh systems in numerous enterprise applications. The most secure approach uses separate access and refresh tokens, where refresh tokens are stored securely and used exclusively for generating new access tokens. This pattern provides optimal security while maintaining seamless user experience without frequent re-authentication.

Create separate access and refresh tokens with a dedicated refresh endpoint for secure token renewal.

const jwt = require('jsonwebtoken')

function generateTokens(user) {
  const accessToken = jwt.sign(
    { id: user.id, email: user.email },
    process.env.JWT_ACCESS_SECRET,
    { expiresIn: '15m' }
  )

  const refreshToken = jwt.sign(
    { id: user.id },
    process.env.JWT_REFRESH_SECRET,
    { expiresIn: '7d' }
  )

  return { accessToken, refreshToken }
}

// Refresh token endpoint
app.post('/auth/refresh', (req, res) => {
  const { refreshToken } = req.body

  jwt.verify(refreshToken, process.env.JWT_REFRESH_SECRET, (err, decoded) => {
    if (err) return res.status(403).json({ error: 'Invalid refresh token' })

    const newAccessToken = jwt.sign(
      { id: decoded.id },
      process.env.JWT_ACCESS_SECRET,
      { expiresIn: '15m' }
    )

    res.json({ accessToken: newAccessToken })
  })
})

This code generates both access tokens (15 minutes) and refresh tokens (7 days) with different secrets. The refresh endpoint validates the refresh token and issues a new access token without requiring user credentials. This approach minimizes the window of vulnerability while providing automatic token renewal for active users.

Best Practice Note:

This is the token refresh strategy we use in CoreUI production APIs for optimal security and user experience. Store refresh tokens in secure HTTP-only cookies and implement token blacklisting for enhanced security in critical applications.

Speed up your responsive apps and websites with fully-featured, ready-to-use open-source admin panel templates—free to use and built for efficiency.

About the Author

Łukasz Holeczek, Founder of CoreUI, is a seasoned Fullstack Developer and entrepreneur with over 25 years of experience. As the lead developer for all JavaScript, React.js, and Vue.js products at CoreUI, they specialize in creating open-source solutions that empower developers to build better and more accessible user interfaces.

With expertise in TypeScript, JavaScript, Node.js, and modern frameworks like React.js, Vue.js, and Next.js, Łukasz combines technical mastery with a passion for UI/UX design and accessibility. CoreUI’s mission is to provide developers with tools that enhance productivity while adhering to accessibility standards.

Łukasz shares its extensive knowledge through a blog with technical software development articles. It also advises enterprise companies on building solutions from A to Z. Through CoreUI, it offers professional services, technical support, and open-core products that help developers and businesses achieve their goals.

Learn more about CoreUI’s solutions and see how your business can benefit from working with us.