I have an issue managing Xano authentication tokens with the Xano Auth plugin.
I store the role of my users within their authentication token using “extras” feature in Xano.
So when a request is made to a Xano endpoint, I can check the user role at the backend level directly from the token (without having to make a request to the user database to get the role of that user).
My issue is that if I update the user role, the user has to logout and then login again in order to generate a new authentication token containing the new role.
So the question is, there a way to refresh the authentication token of user, without asking him to login again ?
I have seen a few topics on this subject on the forum but couldn’t fine a definitive answer.
You could make a Xano endpoint that returns a new auth token based on authenticating with your old auth token. That would create a mechanism for providing an update.
Then the question is when you want to get that new token. One could do that as part of an auth/me check - identify whether the token has the roles that are appropriate, and send back a flag indicating the token should get refreshed. Or you could use some regular event (e.g. on a page load) to call that endpoint to get a new auth token.
There are more ways to do it, but hopefully those ideas get you started!
About token refreshing in Xano, it seems that this process is usually done with a dedicated “refresh_token” and not with a usual authentication token, is it still be practice to use the authentication token to … refresh the authentication token ?
If so, should the token be passed in the request body or in the header ?
About when to get that new token, I think I will indeed use one of the two option you provided, however there is still one question : once I get the new token from Xano, how do I replace the access_token in weweb ?
It seems like the Xano access_token in WeWeb can only be generated with the Xano Auth plugin.