Demo: Token Refresh Race
How the race condition works
Both contexts
(main page + iframe) start with the
same refresh token
Click
"Expire JWT"
— both detect expiry and try to refresh simultaneously
Server receives two refresh requests with the same token
First request wins:
gets new tokens,
old token is invalidated
Second request fails:
token already used →
logged out!
Random network latency (100-500ms) determines the winner
🖥️ Server State (real backend)
Current Refresh Token:
Loading...
JWT Status:
Loading...
⏰ Expire JWT (triggers refresh race)
📄 Main Page
Auth Status:
Logged In
My Refresh Token:
—
🖼️ Iframe (same origin)