This repository demonstrates a complete working example of handling access token refreshing in a client-server architecture using:
- Ktor as the backend server
- Flutter as the mobile client app
- 🧾 JWT-based authentication with access and refresh tokens
- ⏱ Access token expires in 1 minute (for testing)
- ♻️ Refresh token expires in 2 minutes
- 🔄 Automatic access token refresh when expired
- 🚪 Forced logout when refresh token is also expired
✅ Server (Ktor)
-
Exposes endpoints for:
- /auth/signup
- /auth/login
- /auth/refresh
- /get_data?userId
-
Generates JWTs using HMAC
-
Stores refresh tokens and validates them during token refresh
📱 Client (Flutter)
-
Stores tokens securely using
flutter_secure_storage -
Intercepts HTTP 401 errors
- Automatically retries the original request after refreshing the token
- If refresh token is also expired, logs the user out
-
Uses state management BLoC to manage state
- Start the Ktor Server
cd ktor-server
./gradlew run
- Run the Flutter App
cd flutter-client
flutter run