# TokenService Component ## Purpose Generate, validate, and manage JWT tokens. ## Public API ### Methods #### create_access_token(user: User) -> str Generate a new JWT access token. **Parameters:** - `user`: User object with id, email, role **Returns:** JWT token string **Token claims:** ```json { "sub": user.id, "email": user.email, "role": user.role, "iat": current_timestamp, "exp": current_timestamp + 900, # 15 min "jti": uuid4() } ``` #### create_refresh_token(user: User) -> str Generate a new refresh token. **Returns:** JWT refresh token (7 day expiration) #### verify_token(token: str) -> TokenPayload Validate and decode a JWT token. **Parameters:** - `token`: JWT token string **Returns:** TokenPayload with claims **Raises:** - `ExpiredSignatureError`: Token expired - `InvalidTokenError`: Token invalid/malformed #### revoke_token(token_id: str, user_id: str) -> bool Mark a token as revoked in session store. **Parameters:** - `token_id`: JWT jti claim - `user_id`: User ID **Returns:** True if revoked --- ## Configuration ```python ACCESS_TOKEN_EXPIRE = 900 # 15 minutes REFRESH_TOKEN_EXPIRE = 604800 # 7 days ALGORITHM = "HS256" # or RS256 with key pair SECRET_KEY = os.getenv("JWT_SECRET") ``` ## Security - Tokens include unique `jti` claim for revocation tracking - Short access token duration minimizes theft window - Refresh tokens stored in Redis for fast revocation