Pardon my limited knowledge on jwt tokens.
I am building a mobile app and authenticating users via phone sms. After authentication, my rest api returns a jwt token which has a long expiry time (30 days).
To prevent a hacker from stealing the token and using it, I plan to attach encrypted device id to my token. Each subsequent request to my rest api would expect the bearer token and the device id. if the device id does not match the one in the claims, then token is rejected.
Refresh Tokens are a great mechanism, I am just looking for an alternative. Asking experts in the community if they find this approach secure enough.
thanks
