SqlOS

AuthServer

Refresh and Logout

Rotate refresh tokens, switch organizations, and revoke sessions.

2 sections

Refresh#

Refresh uses the old refresh token. SqlOS returns a new pair. Idle timeout extends.

CSHARP
var tokens = await authService.RefreshAsync(
    new SqlOSRefreshRequest(refreshToken, organizationId: null), ct);

Frontend:

TYPESCRIPT
const tokens = await apiPost("/api/v1/auth/refresh", {
  refreshToken: storedRefreshToken,
});
 
localStorage.setItem("access_token", tokens.accessToken);
localStorage.setItem("refresh_token", tokens.refreshToken);

Organization switching#

Switch organizations without re-authenticating by passing a different organizationId:

CSHARP
var tokens = await authService.RefreshAsync(
    new SqlOSRefreshRequest(refreshToken, organizationId: "org_newOrgId"), ct);

Replay detection#

If a consumed refresh token is reused, SqlOS revokes the entire token family and the session. This protects against token theft -- if an attacker captures a refresh token and uses it, the legitimate user's next refresh attempt triggers revocation of everything.

Logout#

Revoke a session by refresh token:

CSHARP
await authService.LogoutAsync(refreshToken: "rt_...", sessionId: null, ct);

By session ID:

CSHARP
await authService.LogoutAsync(refreshToken: null, sessionId: "ses_...", ct);

Revoke all sessions for a user:

CSHARP
await authService.LogoutAllAsync(userId, ct);

Frontend:

TYPESCRIPT
await apiPost("/api/v1/auth/logout", {
  refreshToken: storedRefreshToken,
});
 
localStorage.removeItem("access_token");
localStorage.removeItem("refresh_token");