Should refresh token have expiration time ?

[emmanuel-D]

Hey Kyle, I have followed your tutorial on YouTube and also implemented some logic like you using JWT but in Java with the Framework Spring-Boot.
I am working on a mobile app like Twitter and I would like to know if refresh-tokens should have an expiration time or are there valid forever ?

[JosiasAurel]

@emmanuel-D indeed they should have an expiration time just like normal jsonwebtokens. If it doesn't expire, any malicious person who gets it has access to a user account.

[StoyanovDenislav]

It is usually recommended to be 84600 seconds or 24 hours due to the fact users won't like to sign-in every 15-30 minutes.