Token Expiration Check

2. Refresh & Rotation Security

Evaluate the renewal mechanism.

• RT Rotation: Is a new RT issued every time the AT is refreshed? (Prevents reuse of stolen RTs).
• Reuse Detection: If an old RT is used, does the server invalidate the entire family of tokens?
• Server-Side Invalidation: Is there a way to revoke tokens before expiry (Blacklisting/Database check)?

3. JWT Payload & Validation

• Payload Exposure: Are sensitive fields (Internal IDs, Passwords, PII) in the unencrypted JWT payload?
• Clock Skew Handling: Is there a grace period (e.g., 30s) for verification between server and client?
• Algorithm Verification: Is the alg: none attack mitigated? Are we forcing a secure algorithm (HS256/RS256)?

4. Frontend Token Handling

• Storage Security: Is the RT stored in an HttpOnly cookie or exposed to JS in localStorage?
• Synchronization: Does the app handle multiple tabs refreshing at once? (Race conditions).
• Graceful Expiry: Does the UI redirect to login exactly when the token expires, or does it wait for a 401?

What this skill does NOT review (Avoid overlap)

• RBAC: Role permissions (Use auth-security-audit).
• Functional Logic: Code that uses the token for business (Use backend-code-review).

Mandatory Output Format

1. Token Lifecycle Score

Security vs UX balance assessment.

2. Technical Vulnerabilities

Specific risks like "RT reuse possible" or "LocalStorage exposure".

3. Expiration Mapping

Table of current vs recommended durations.

4. Implementation Fixes

Code snippets to improve the refresh-rotation flow or cookie headers.