Why Hashing Refresh Tokens Broke My Auth Flow — and How I Fixed It

When I first decided to hash refresh tokens before storing them in the database, it felt like a straightforward security improvement. But the moment I did that, my refresh-token flow broke. Not because hashing itself was wrong. The real issue was that hashing changed how I had to design the lookup and verification flow. This post is about that problem, the first working fix I used, and the more optimal version I reached after understanding the flow properly. What I was trying to do My auth setup was simple in principle: access tokens for short-lived authentication refresh tokens for issuing new access tokens sessions stored in the database refresh token rotation for better security The part I wanted to improve was storage. Instead of saving the refresh token directly in the session collection, I wanted to hash it with Argon2 before saving it, just like we hash passwords. That part was easy enough. A simplified schema method looked like this: sessionSchema.methods.verifyRefreshToken = a