Is there a way to rotate bearer tokens?
Hey everyone,
I’m using bearer tokens via
bearer() plugin mainly for authentication on a mobile app.
So far I implemented auth on my backend api level, which is then used by my mobile app to login, grab the bearer from response body and set in `authorization’ header.
However, as I don’t want to require users to login every week to obtain a new bearer token, I would like to rotate it on specific activities (todo created successfully for example).
Did someone implemented something like this already?
Thanks10 Replies
Does anyone know anything about it?
try using @Better Auth
Hi there! It looks like you mentioned a user, but I’m here to help answer questions specifically about Better Auth—the comprehensive authentication framework for TypeScript. Let me know if you have a question about installation, configuration, troubleshooting, or any other aspect of Better Auth, and I'll be happy to help!
I'm pretty sure bearer tokens are equal to session tokens, so for new tokens you need new sessions
Usually you shouldn't generate new sessions for the sake of tokens without proper verification saying that it's the actual user issuing the new session, so not sure you can do that without breaking security standards
@Ping
I usually call
auth.api.getSession() in my auth middleware on the backend so verify if the user is the actual user (by passing cookie or authorization header) hence refreshing the signed session token.
However, what am I supposed to do if that token got compromised ? I would actually like to get this token rotated exactly when the expiry date is extended.
In many systems like ERPs or banking APIs they provide bearer tokens / api keys as well as utilities to rotate them on demand as that’s mega expensive to have even a single token compromised.
I’d argue that this could be a real deal-breaker when it comes to using better-auth for authentication for banking / ERP related APIsSo you're wanting a session token/bearer token rotation api?
@Ping Yeah that would be awesome
Not sure about the implementation specifics regarding better-auth internals, but there should ideally be these options:
1. Rotation can be on or off
2.Rotate on demand
3. Rotate when expiration datetime is reached
What do you think about it? @Ping
A bearer token is essentially your session token. For more important context, take a look into this message:
https://discord.com/channels/1288403910284935179/1408161205889007756/1408317752912908288
Well, changing updateAge to never be reached is not an option.. As users will be forced logged out in a week for example. By that time (provided hijacker hasn’t changed anything in the app, but just stole valuable info like credit card numbers and pins) it’s too late to force log out…
That’s why banking apps and ERP systems rotate their access tokens and api keys almost hourly
Once an attacker has a valid session token, it doesn’t matter how often you rotate it - they can still act in that window (whether that’s an hour or a week). Rotation doesn’t prevent data theft; it just slightly shortens the window. The real protection is making it extremely difficult to steal the token in the first place, e.g. using HttpOnly + Secure cookies, TLS, SameSite, and backend-side invalidation controls.
Session cookies are fundamentally different from access tokens or API keys. Banking apps rotate access tokens frequently because those are stateless bearer tokens that cannot be revoked once issued. In contrast, cookie-backed sessions are server-controlled and can be invalidated instantly, which is actually stronger.
What you’re describing as the need for “session token rotation” would just mean forcing every client to log in again at some interval. That’s equivalent to setting updateAge so it never refreshes - it doesn’t add security, just worsens UX. If you try to “notify clients of a new token” instead, you’ve basically reinvented sliding sessions, which is exactly what updateAge already does.