Ive been doing a lot of research on SPA auth with laravel, from my understanding refresh tokens are NOT to be used with single page apps. Also note, i will be building the FE, not a third part access, and i will have a mobile app (refresh tokens best practice for mobile app).
From what i gather, i have two options to secure my API for my SPA specifically:
Option 1 seems like a bit more overhead on the client side to setup and requires passport which is a bit more baggage for what i need right now, but setting up the refresh token route for my mobile app is super easy /oauth/token
Option 2 seems easy and light weight, can setup refresh token as well for mobile app (might be abit more work), is it really less secure to have token that expires say every 24hrs?
Your input is appreciated.