fuck it, im giving my users permanent access tokens, because for some reason using refresh tokens is black magic to the internet -.-

Afaik, discord does that too. Just hide it.

That sounds like a bad idea. What are you using to manage your tokens?
Services like Cognito or Auth0 can just do it for you.

@dan-pud keycloak, and i can just get new tokens fine.

But im also using apollo client(because graphql), and theres nobody talking about how to handle expired keys with that

Wut, how so?

Do it properly, or it'll come back to bite later.

@dakkarant whether you're using rest or graphql the logic should be the same. Request tokens from service. Attach a token to a request, the server checks it, if valid process request, if expired (or not valid) reject request. Client then needs to go back to token service and exchange refresh token then try the request again with the new token.
Managed services and sdks will do all this for you in background.

@dan-pud yes the whole refreshing thing works, but apollo doesnt have anything build in it seems to retry on a failed request
(they do but that only triggers on network errors, not graphql errors)