I am implementing a JWT based authentication system in my REST API, and am looking to use the JWT_ID claim in the token. According to Auth0, JWT ID allows a token to be used once:
jti (JWT ID): Unique identifier; can be used to prevent the JWT from being replayed (allows a token to be used only once)
I am wondering how often should the JWT ID be regenerated?
- On every request
- On Login only
- On token refresh (if refresh token system is used)
NOTE: I am not using Auth0 for my authentication.