What happen if a refresh token is stolen?

I’m currently looking at implementing the token refresh rotation feature using okta-auth-js with the following access rule policy:


However, does this mean that if my refresh token is stolen that a hacker can continue to use it to retrieve new access tokens for 30 days? FYI I’m using the PKCE flow with my ReactJS app.

In order to support refresh tokens for SPAs refresh token rotation was introduced.

Refresh token rotation helps a public client to securely rotate refresh tokens after each use. When refresh token rotation behavior is enabled in Okta, a new refresh token is returned each time the client makes a request to exchange a refresh token for a new access token.


Thanks, I’m currently implementing that but I see that Okta recommend setting the token refresh lifetime to as short as possible, just wondering why that is if the refresh token is rotated anyway?

See bottom of this page: Refresh token rotation | Okta Developer

My interpretation is that the refresh token will be valid for X amount of time (the default value is unlimited). I believe this is a suggestion as an added layer of security on top of the rotation.

Thanks. Any advice on what the lifetime should be for a single page app? i.e How short is short?