Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi,
As per the title, I'm using tymondesigns/jwt-auth for authentication to my API which I have set up and is working, however, I have a few questions regarding best practices with the JWT. Just for reference, my VueJS app is completely decoupled from my Laravel app, so I'm using Axios to send requests across.
The questions I have are as follows:
When do I refresh the token? Do I refresh the token upon every new request or do I set my own refresh time and refresh say every 15 minutes? (providing the token hasn't already expired).
What's the best way to store the JWT? After looking this up, I've read numerous horror stories about storing it as a cookie and in local storage and I'm unsure about both!
Continuing from the question above, If I go for the cookie approach, do I really need to send across a CSRF token along with the JWT on every request? How would I go about testing the endpoints using Postman if I need to supply a CSRF token on every request?
I appreciate my question has been split into multiple questions, so even answering just 1 will be of great help to me. If anyone has any resources they can point me to that I may have missed in my many hours of researching, that will also be very helpful.
Thanks!
I am not using jwt-auth but I refresh my tokens every 5 minutes. The shorter their shelf life the more secure. My refresh token lasts for 1 hour and is refreshed everytime I refresh the access token. I also store my tokens in localStorage without issue.
Regarding CSRF take a peek at https://security.stackexchange.com/questions/166724/should-i-use-csrf-protection-on-rest-api-endpoints
@PRIMORDIAL - Hi, thanks for your answer.
I've viewed that question you've linked a dozen times and it's actually the question that made me think about storing my JWT in local storage because if i store the JWT as a cookie, it will be sent across on every request which isn't a good idea in my mind.
Reading up here however https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage says otherwise and actually at the end recommends that you store the JWT as a cookie.
I guess I will just have to take the plunge and choose one of them and just see how it goes!
Thanks.
Please or to participate in this conversation.