What's the flow for refreshing user token?


I have a web app where the user authenticates with their Figma account.
I also have a plugin which authenticates and verifies the user by opening the web app and then notifies the plugin via WebSocket that the user has authenticated.
To persist that state I’ve saved the token to the clientStorage.

My problem is now that I don’t know how I refresh this token which authenticates the user with the internal API of the web app. It uses the same JWT to do it.

I set a httpOnly cookie for the refresh-token but refreshing fails when it’s called from within the iframe. When I open the site in the iframe it works. Probably some CORS issues I think, but I’m not sure if those can be resolved because of the iframe restrictions.

So my question is if there is specific flow for refreshing the token to stay logged in or would the user needs to re-authenticate after e.g. 2 hours?

I appreciate any feedback and advice. If I’m doing it completely wrong, please not that also. I’m open. :slight_smile: