> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://docs.adid.dev/llms.txt.
> For full documentation content, see https://docs.adid.dev/llms-full.txt.

# JWT Lifecycle

**Used in:** §13.5 JWT Token Lifecycle & Refresh
**Audience:** Backend Developer, DevOps
**IA ID:** D20

```mermaid
sequenceDiagram
  autonumber
  participant Client as Portal / SDK / Wallet
  participant API
  participant Redis
  participant DB

  Client->>API: POST /auth/login (email)
  API->>DB: lookup user
  API->>Redis: store OTP code (TTL 10m)
  API-->>Client: 200 "OTP sent"

  Client->>API: POST /auth/verify-otp (email, code)
  API->>Redis: validate + delete OTP
  API->>DB: load roles, issue access_token (15m) + refresh_token (30d)
  API->>Redis: store refresh_token jti (allowlist)
  API-->>Client: { accessToken, refreshToken }

  Note over Client,API: Subsequent calls
  Client->>API: GET /any (Bearer access_token)
  API->>API: verify signature + exp
  API-->>Client: 200

  Note over Client,API: Refresh
  Client->>API: POST /auth/refresh (refresh_token)
  API->>Redis: lookup jti — must be allowlisted, not revoked
  API->>API: rotate (issue new pair, invalidate old jti)
  API->>Redis: replace allowlisted jti
  API-->>Client: { accessToken, refreshToken }
```

**Reading guide:** Refresh tokens are single-use (jti rotation) and tracked in Redis. Logout revokes the refresh-token jti.

***