It is what we are doing.
We have 2 variables:
TimeJWT and timeBeforeRefresh
Each time the API is triggered, we check if the JWT is valid and if yes, we check if it is time to send another new JWT.
We use http only so it’s quite easy to send the new cookie form the backend. No need to do anything in the frontend.
We also have added a unique sessionId in the token which is save on the user level.
It helps to invalidate the JWT when we need to.
We have the trailing session and the invalidate action.
Finally in the frontend we have set an idle function where it asks to the backend every 30 sec if the user is logged in or not. This endpoint is not triggering the refresh token.
This logout the user from the app if the user is nit log in anymore