From 9ceaf35fd950d5edd9775d17f79386d729eac7cd Mon Sep 17 00:00:00 2001
From: Kharec <sandro@cazzaniga.fr>
Date: Thu, 8 Jan 2026 06:28:29 +0100
Subject: [PATCH] docs: note refresh token rotation and auth refresh/revoke
 endpoints

---
 README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/README.md b/README.md
index 3a96ddb..04bc85f 100644
--- a/README.md
+++ b/README.md
@@ -117,6 +117,8 @@ JWT_EXPIRATION=1
 JWT_REFRESH_EXPIRATION=168
 ```
 
+Refresh tokens rotate on each successful refresh, the previous refresh token is invalidated.
+
 ### SMTP Configuration
 
 ```bash
@@ -203,6 +205,9 @@ It'll be more readable and easier to parse.
 - `POST /api/auth/login` - Login user
 - `GET /api/auth/confirm` - Confirm email
 - `POST /api/auth/logout` - Logout user
+- `POST /api/auth/refresh` - Refresh access token (rotates refresh token)
+- `POST /api/auth/revoke` - Revoke a refresh token
+- `POST /api/auth/revoke-all` - Revoke all refresh tokens for the current user
 
 #### Posts