Authentication Configuration Guide¶
Token Settings¶
The producer portal expects the following token configuration from the backend API:
Access Token¶
- Expiration Time: 24 hours (86400 seconds)
- Token Type: JWT
- Refresh Buffer: 5 minutes (tokens are refreshed 5 minutes before expiry)
Refresh Token¶
- Endpoint:
/auth/token/refresh/ - Method: POST
- Request Body:
{ "refresh": "<refresh_token>" } - Response:
{ "access": "<new_access_token>" }
Important Backend Considerations¶
-
Token Expiration Mismatch: If your backend uses a different token expiration time than 24 hours, update the following file:
ChangeTOKEN_EXPIRATION_MSto match your backend setting (in milliseconds). -
Error Response Format: When token refresh fails, ensure the backend returns appropriate HTTP status codes:
401for invalid/expired refresh tokens403for revoked/blacklisted tokens-
Include error details in the response body
-
CORS Configuration: Ensure the backend allows credentials from the frontend domain for token refresh requests.
Debugging Authentication Issues¶
-
Enable debug mode by setting
NODE_ENV=developmentto see detailed auth logs in the browser console. -
Check the browser console for messages starting with
[Auth]to track token refresh attempts. -
Common issues:
- Backend token expiration shorter than frontend expects
- Refresh token endpoint returning unexpected response format
- CORS blocking token refresh requests
- Clock skew between client and server
Session Behavior¶
- Sessions are checked and refreshed automatically by NextAuth
- Tokens are refreshed 5 minutes before expiration to prevent race conditions
- Only true authentication failures (invalid tokens) trigger logout
- Authorization errors (403) show error messages but don't log out users
API Error Handling¶
The frontend distinguishes between: - Authentication errors (401 with token-related messages) → Logout - Authorization errors (403, 401 without token issues) → Show error, stay logged in - Network/Server errors → Retry automatically, show error if persistent