How do access tokens and refresh tokens work with JWT authentication?

**Access tokens** are short-lived and used on each request. **Refresh tokens** are longer-lived and used to obtain new access tokens. **Best practices:** - Keep access tokens short TTL - Store refresh tokens securely (httpOnly cookies or secure storage) - Rotate refresh tokens and revoke on compromise JWTs are convenient for stateless auth, but token revocation and rotation must be designed carefully.