I am creating an API, I use Token Authentication (JWT), I want this token to be valid for, say, 10 minutes, and, at each request, return a new Token, so the user will have access while active , if it is disconnected for a long time (more than 10 min), it will have to reauthenticate
The client must create two requests, one requesting the main resource (a user search, for example) and another for a new token? Or is it better that the backend always returns, in addition to the user search, a new token?
In the case of the second option, how to send this token? Pass as part of the body? Is there any specific HTTP header for this? Is there a problem in passing the token via Cookie?
I saw the use of a
Authorization header but I did not find anything official, just in blogs. I know the second one is used to pass the token from the client to the server, vice versa too?
Token header does not appear in the MDN, nor in the unofficial Wikipedia
Authorization header only appears for requests, that is, from client to server