Refresh and Logout
Rotate refresh tokens, switch organizations, and revoke sessions.
Refresh
Each refresh consumes the current token and issues a new one. The session idle timeout is extended.
var tokens = await authService.RefreshAsync(
new SqlOSRefreshRequest(refreshToken, organizationId: null), ct);
Frontend:
const tokens = await apiPost("/api/v1/auth/refresh", {
refreshToken: storedRefreshToken,
});
localStorage.setItem("access_token", tokens.accessToken);
localStorage.setItem("refresh_token", tokens.refreshToken);
Organization switching
Switch organizations without re-authenticating by passing a different organizationId:
var tokens = await authService.RefreshAsync(
new SqlOSRefreshRequest(refreshToken, organizationId: "org_newOrgId"), ct);
Replay detection
If a consumed refresh token is reused, SqlOS revokes the entire token family and the session. This protects against token theft -- if an attacker captures a refresh token and uses it, the legitimate user's next refresh attempt triggers revocation of everything.
Logout
Revoke a session by refresh token:
await authService.LogoutAsync(refreshToken: "rt_...", sessionId: null, ct);
By session ID:
await authService.LogoutAsync(refreshToken: null, sessionId: "ses_...", ct);
Revoke all sessions for a user:
await authService.LogoutAllAsync(userId, ct);
Frontend:
await apiPost("/api/v1/auth/logout", {
refreshToken: storedRefreshToken,
});
localStorage.removeItem("access_token");
localStorage.removeItem("refresh_token");