JWT Tokens
Frona AI uses JSON Web Tokens for authentication. This page covers the technical details of how tokens work.
Token structure
Section titled “Token structure”Access tokens are standard JWTs containing:
- User ID
- Issued-at timestamp
- Expiration timestamp
The token is signed with the server’s encryption secret (FRONA_AUTH_ENCRYPTION_SECRET).
Token lifetimes
Section titled “Token lifetimes”| Token | Default | Config variable |
|---|---|---|
| Access token | 15 minutes | FRONA_AUTH_ACCESS_TOKEN_EXPIRY_SECS |
| Refresh token | 7 days | FRONA_AUTH_REFRESH_TOKEN_EXPIRY_SECS |
| Pre-signed URL | 24 hours | FRONA_AUTH_PRESIGN_EXPIRY_SECS |
Refresh flow
Section titled “Refresh flow”When an access token expires:
- The client sends a request to
POST /api/auth/refresh - The refresh token is read from the httponly cookie
- If valid, the server issues a new access token
- The new refresh token is set in the cookie
The frontend handles this automatically. You don’t need to manage token refresh manually.
Using tokens with the API
Section titled “Using tokens with the API”For API requests, include the access token in the Authorization header:
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...For SSE streams and WebSocket connections where headers aren’t easily set, you can pass the token as a query parameter:
GET /api/chats/{id}/messages/stream?token=eyJhbGciOiJIUzI1NiIs...Pre-signed URLs
Section titled “Pre-signed URLs”Some features use pre-signed URLs for temporary access to resources (like file downloads). These URLs contain a token in the query string and expire after 24 hours by default.
Encryption secret
Section titled “Encryption secret”The FRONA_AUTH_ENCRYPTION_SECRET is used to sign JWTs and encrypt sensitive data. If you change this value, all existing tokens become invalid and users will need to log in again.
Use a strong, random secret in production. The default value (dev-secret-change-in-production) is only suitable for local development.