API TestingAPIAdvanced

Token refresh API

Scenario

A `POST /auth/refresh` endpoint exchanges a refresh token for a new access token and rotated refresh token. Reused refresh tokens should be detected, sessions can be revoked, and expired tokens must fail safely.

What would you test?

List checks, risks, edge cases, data conditions, and user experience concerns you would cover.