Authentication with JWT and refresh token

[David Vicente Fuentes]

We have created a server with JWT authentication and we wanted the tokens to expire after a time. In order to not force the user to authenticate again every time the token expire, we implemented a resource to refresh this token automatically. 

Now we have a security doubt. What if someone take your refresh token?? How do you have solved this problem?? 

We are thinking about manual Refresh token rejection by admins, but we are not sure about this solution. What do you think?

We wrote some notes about this:

https://solidgeargroup.com/refresh-token-with-jwt-authentication-node-js