Yes, you should issue a new refresh token every time the client requests a new access token. This process, known as refresh token rotation, enhances security by preventing token reuse attacks. If a refresh token is compromised, an attacker won’t be able to use it once a new token has been issued and the old one has been invalidated. This approach ensures that only the latest refresh token remains valid, reducing the risk of unauthorized access.

To properly implement refresh token rotation, you should invalidate the old refresh token whenever a new one is issued. This can be done by storing refresh tokens in a database and marking them as expired upon rotation. Additionally, refresh tokens should be stored securely on the client side, such as in HTTP-only cookies (for web apps) or secure storage (for mobile apps). Monitoring token refresh events can also help detect suspicious activities, such as attempts to use an old refresh token.

Best practices include using short-lived access tokens (e.g., 15 minutes) and longer-lived refresh tokens (e.g., 7 days), but rotating them with every refresh request. Implementing rate limiting can prevent abuse, while keeping a denylist of revoked tokens ensures they cannot be reused. Some alternatives to full rotation include sliding expiration, where the refresh token's validity is extended upon each use, and opaque tokens, which are stored in a database rather than using JWTs. However, refresh token rotation remains one of the most secure and widely recommended approaches.