Graceful Token Rotation in Ory OAuth2 / Ory Hydra

Ory Network now supports graceful refresh token rotation in Ory OAuth2 and Ory Hydra, enhancing session reliability during refresh token exchanges. With this feature enabled, refresh tokens remain valid within a configurable grace period, allowing for multiple refreshes without immediate invalidation. This minimizes disruptions in session continuity, especially in cases of network delays or token exchange issues.

When a refresh token is used, it’s marked as "used" in the database, and its expiration is extended by the grace period. Subsequent token refreshes within the grace period will issue new access and refresh tokens linked to a single token chain. If any token in this chain is revoked, all associated tokens are invalidated, ensuring security across sessions.

Read more in the Ory Documentation.