Guardian: do I even need to store JWT access token in the client if I use :refresh_from_cookie with Guardian.Plug.VerifyHeader?

I am looking at the source code of Guardian.Plug.VerifyHeader( and notice that if it can’t find the JWT auth token in the header it will try to fetch the refresh token from cookies and exchange it to an access token if I have :refresh_from_cookie enabled. It looks to me that I don’t even need to store JWT access token in httponly cookie, just the refresh token. Is it correct?

Depending on how many clients you have, you don’t want to exchange the refresh for access token for every request, because of performance reasons. Usually I would set access token expiry time for 1 hour, but at the end of the day it depends on the application.