Refresh tokens (opaque, hashed). May be sender-constrained by DPoP.
| Name | Type | Default | Nullable | Children | Parents | Comment |
|---|---|---|---|---|---|---|
| audience | text[] | true | Optional audience constraint mirrored from access token. | |||
| client_id | uuid | false | public.oauth_clients | Client the refresh token belongs to. | ||
| created_at | timestamp with time zone | now() | false | Creation timestamp. | ||
| digest | bytea | false | public.oauth_refresh_tokens | Hashed value (HMAC of raw token). Plaintext shown once to client. | ||
| dpop_jkt | text | true | If present, refresh token is sender-constrained by this JWK thumbprint. | |||
| expires_at | timestamp with time zone | false | Expiration time for the refresh token. | |||
| jti | uuid | gen_random_uuid() | false | Unique identifier of the refresh token row. | ||
| metadata | jsonb | ‘{}’::jsonb | false | Free-form JSON for diagnostics. | ||
| revoked | boolean | false | false | TRUE if the refresh token has been revoked. | ||
| rotated_from | bytea | true | public.oauth_refresh_tokens | Previous refresh token digest if rotated; allows trace of rotation chain. | ||
| scopes | text[] | ‘{}’::text[] | false | Scopes associated with the refresh token (limits new ATs). | ||
| updated_at | timestamp with time zone | now() | false | Last update timestamp (maintained by trigger). | ||
| user_id | uuid | false | public.users | Owner (end-user) of the refresh token. |
| Name | Type | Definition |
|---|---|---|
| audience_uris_valid | CHECK | CHECK (are_valid_oauth_uris_or_null(audience)) |
| fk_rotated_from | FOREIGN KEY | FOREIGN KEY (rotated_from) REFERENCES oauth_refresh_tokens(digest) ON DELETE SET NULL |
| oauth_refresh_tokens_client_id_fkey | FOREIGN KEY | FOREIGN KEY (client_id) REFERENCES oauth_clients(id) ON DELETE CASCADE |
| oauth_refresh_tokens_client_id_not_null | n | NOT NULL client_id |
| oauth_refresh_tokens_created_at_not_null | n | NOT NULL created_at |
| oauth_refresh_tokens_digest_not_null | n | NOT NULL digest |
| oauth_refresh_tokens_expires_at_not_null | n | NOT NULL expires_at |
| oauth_refresh_tokens_jti_not_null | n | NOT NULL jti |
| oauth_refresh_tokens_metadata_not_null | n | NOT NULL metadata |
| oauth_refresh_tokens_pkey | PRIMARY KEY | PRIMARY KEY (digest) |
| oauth_refresh_tokens_revoked_not_null | n | NOT NULL revoked |
| oauth_refresh_tokens_scopes_not_null | n | NOT NULL scopes |
| oauth_refresh_tokens_updated_at_not_null | n | NOT NULL updated_at |
| oauth_refresh_tokens_user_id_fkey | FOREIGN KEY | FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE |
| oauth_refresh_tokens_user_id_not_null | n | NOT NULL user_id |
| refresh_token_dpop_shape_chk | CHECK | CHECK (((dpop_jkt IS NULL) OR ((length(dpop_jkt) >= 43) AND (length(dpop_jkt) <= 128)))) |
| scopes_token_chars | CHECK | CHECK (scopes_all_valid(scopes)) |
| Name | Definition | Comment |
|---|---|---|
| idx_oauth_refresh_tokens_expires_at | CREATE INDEX idx_oauth_refresh_tokens_expires_at ON public.oauth_refresh_tokens USING btree (expires_at) | Speeds eviction and queries by refresh token expiration. |
| idx_oauth_refresh_tokens_jti | CREATE UNIQUE INDEX idx_oauth_refresh_tokens_jti ON public.oauth_refresh_tokens USING btree (jti) | Guarantees jti uniqueness across refresh tokens (useful for audit/trace). |
| idx_oauth_refresh_tokens_user_client | CREATE INDEX idx_oauth_refresh_tokens_user_client ON public.oauth_refresh_tokens USING btree (user_id, client_id) | Speeds per-user/per-client refresh token lookups. |
| oauth_refresh_tokens_pkey | CREATE UNIQUE INDEX oauth_refresh_tokens_pkey ON public.oauth_refresh_tokens USING btree (digest) |
| Name | Definition |
|---|---|
| set_timestamp_oauth_refresh_tokens | CREATE TRIGGER set_timestamp_oauth_refresh_tokens BEFORE UPDATE ON public.oauth_refresh_tokens FOR EACH ROW EXECUTE FUNCTION trigger_set_timestamp() |
Generated by tbls