LB supports JWT tokens as the main authentication mechanism.
After successful login/registration, an AccessToken/RefreshToken pair and AccessTokenExpirationInSeconds are returned as part of the POST /user request response.
The AccessToken (short-lived token) is used to authenticate the user. It is passed in the 'Authorization: Bearer {{AccessToken}}' header in all protected requests.
If the AccessToken is about to expire soon or if the server is already returning a 401 Unauthorized HTTP code, the app needs to obtain a new AccessToken.
To do that, a POST /token request should be performed. If the RefreshToken is still valid, a new AccessToken/RefreshToken pair will be returned in the response. If the server returns a 401 Unauthorized HTTP code, it means the RefreshToken has expired or is not valid, and the user should be redirected to the login screen.
If the user chooses to log out in the app, the AccessToken/RefreshToken should be deleted from the user's device, and the app should also call the DELETE /token request to invalidate all RefreshTokens issued before that date.
The AccessToken expiration, RefreshToken idle, and absolute expirations are configurable.