Add `jti` claim

Have each JWT token have a `jti` claim (JWT ID) to help with tracking
refreshes, and therefore validity of the JWTs.

If a refresh token is used more than once, then that refresh token,
and all its progeny/descendants are considered invalid, since that
token could have been stolen.

0 files changed, 0 insertions, 0 deletions