Is there a refresh token concept for public purpose

[kounelios13]

Hello.I have recently started studying Paseto.As a person coming from a JWT background I am used to the refresh token idea(when my JWT expires I get a new one by providing a special key)

Now as an alternative for JWT authentication paseto provides the public purpose tokens.Now my question is this. When a token expires what should I do ? Is there any way to refresh that token or do I need to prompt the user to enter their login credentials so I can sign a new token?

[paragonie-scott]

Your question is from an OAuth2 background, not a JWT background.

JWT doesn't have a concept of request/access tokens. Other standards do. Those standards just so happen to use JWT as a means of encoding these tokens.

You can use a PASETO for the same purpose, yes.

The plan is, after the XChaCha20 RFC passes, to focus on formalizing PASETO as an IETF RFC and then get it into OpenID Connect as a JWT alternative.

[paragonie-security]

Should this question live here (the PHP repository), or should we move it to the specification repository?

[kounelios13]

I believe it should be moved in the specification repository

[paragonie-security]

paseto-standard/paseto-spec#2 :)