Difference between authToken and refreshToken

[hatsumatsu]

Looking through the docs I couldn't find an explanation of how authToken and refreshToken differ except in their default lifespan (5min vs. 1 year?). Both seem to enable querying private data like draft posts but are they completely interchangeable? When should we prefer one over the other?

PS: Thank you for providing this powerful toolset to the WP community.

[martinowren]

@hatsumatsu The auth token is only valid for 5 mins, so after those 5 minutes you would need to fetch a new authtoken with your refreshtoken. Refreshtokens should/can only only be used to fetch new authtokens.

[hatsumatsu]

@martinowren Thank you for clarifying.

Refreshtokens should/can only only be used to fetch new authtokens.

In my tests though refteshTokens do allow fetching private data like draft posts without obtaining a new authToken (which is handy).

The official example if how to use wordpress with nextjs uses this approach, too.

[hatsumatsu]

@martinowren Looking at this question and #144 again I assume the refreshToken and authToken returned from the login mutation reflect the permissions of the provided user. So logging in a user with the author role would return tokens that do not allow to change posts from other users?

Is this how the plugin works?