it is found that when many people on the Internet use JWT, they will set 2 token:access_token and refresh_token,access_token to expire in 2 hours, and refresh_token to expire in 7 days. If the access_token expires, the refresh_token will not expire and a new access_token, will be generated. If the refresh_token expires, let the user log in again.
I wonder if you can just set a token to expire in 7 days. It is said that setting 2 token is more secure, but if someone can get one of your token, he will definitely get the other. Or is it necessary to set up 2 token for some special scenarios? Hope that experienced people can help to answer questions and questions!
Thank you!