JWT refresh token silently corrupted when renewal endpoint omits field
Problem
After token renewal, the app stops working silently. The renewal API returns only { token } but the client code does `const { token, refreshToken } = response.data` and stores both — meaning refreshToken becomes undefined and overwrites the valid stored refresh token. The user appears logged in but all subsequent authenticated requests fail until they manually log out and back in.
Error Output
401 Unauthorized: Token expired at axiosInstance interceptor → renewToken → refreshToken is undefined
Unverified for your environment
Select your OS to check compatibility.
1 Fix
Guard the refreshToken storage with an existence check
When the renewal endpoint returns only { token } without a refreshToken field, destructuring assigns undefined to refreshToken. Without a guard, undefined is stored, overwriting the valid refresh token.
Trust Score
6 verifications
- 1
Add a guard before storing the refresh token
In your token renewal handler:
typescript// ❌ Overwrites stored refreshToken with undefined const { token, refreshToken } = response.data setAccessToken(token) setRefreshToken(refreshToken) // refreshToken is undefined! // ✅ Only update refreshToken if the response includes one const { token, refreshToken: newRefreshToken } = response.data setAccessToken(token) if (newRefreshToken) { setRefreshToken(newRefreshToken) } // If newRefreshToken is absent, the existing stored refreshToken remains valid - 2
Apply the same guard in your Axios interceptor
If token renewal happens in an Axios response interceptor, ensure the guard is applied there too.
Validation
After token renewal, log the stored refreshToken. It should remain a valid non-undefined value. Authenticated requests should succeed for the full token lifetime.
Verification Summary
Sign in to verify this fix
Environment
- Product
- React + JWT Auth
- Environment
- production
Submitted by
Alex Chen
2450 rep