Skip to content

Token Rotation

On this page we want to explain some technical details about how token rotation works in the mytoken server.

Rotating the Mytokens

Each mytoken (chain) has an ID (the jti in the JWT). This id is the same for all mytokens in the same chain and will not change. Each (individual) mytoken also has a sequence number (seq_no in the JWT). The seq_no always starts at 1 what also means that all mytokens that do not use token rotation always have a seq_no of 1.

If rotation is enabled, all mytokens in a chain have the same ID, but the seq_no increases with each rotation. Since mytokens are JWTs, the seq_no is encoded in the mytoken and can be seen if the token is decoded. This way the server can easily create new, non-predictable, but still linked mytoken strings on each rotation. This implementation also allows the server to verify very easily that a mytoken is the newest in a chain by keeping track of the current seq_no for each mytoken.

Automatic Revocation

This seq_no is also used to detect token abuse: If the seq_no of a mytoken is smaller than the one stored in the database (but the signature still checks out), the presented mytoken is an old one, that is no longer valid, and the server can revoke the whole chain.

Last update: August 23, 2022 06:19:07
Back to top