ADR 001: Move to Dual Token (Access/Refresh) Authentication

Context

Historically, we relied on stateful server sessions. With our move to a decoupled React Single Page Application (SPA), we need a stateless mechanism to verify users across distributed backend instances without overloading the database.

Options Considered

1. Sticky Sessions with Redis Spring Session.
2. Standard short-lived JWT.
3. Dual Token (short-lived Access JWT + long-lived Refresh JWT).

Decision

We chose Option 3: Dual Token. The frontend (Zustand) holds a 15-minute Access Token, and a 7-day Refresh Token. Axios automatically handles the 401 refresh queue.

Consequences

• Positive: Backend becomes highly scalable and stateless. Security surface area is reduced since Access Tokens die quickly.
• Negative: Increased frontend complexity to handle concurrent API requests during a token refresh phase.