API TestingAPIAdvanced

Auth token refresh API

Scenario

POST /auth/refresh accepts a refresh token and returns a new access token plus a rotated refresh token. Access tokens expire after 15 minutes, refresh tokens expire after 30 days, and reused or revoked refresh tokens should terminate the session.

What would you test?

List checks, risks, edge cases, data conditions, and user experience concerns you would cover.