The refreshToken is valid for 7 days.
Auth Best Practices and Middleware flow:
We recommend you to store all the information returned by SignIn and SignUp except for expiresIn.
Every request except SignIn and SignUp require the accessToken in the header.
userId and refreshToken are used when you want to refresh your accessToken using the refresh-access-token endpoint.
Typical auth middleware flow: If any api request returns a 401 response code, this means your accessToken needs to be refreshed. Call the /auth/refresh-access-token endpoint. If this request returns a 401 as well, it means your refreshToken is expired. If the refreshToken is expired, remove the access and refresh tokens from local storage, call the /auth/revoke-refresh-token endpoint, then finally log the user out.