Implementing True Idle Timeout with Refresh Token Rotation in Next.js + NextAuth

In this post, I walk through a production-ready approach to implementing interaction-based idle timeout alongside cross-tab–safe refresh token rotation in a Next.js (App Router) application. We’ll look at how to separate concerns between user inactivity and token expiry, avoid common race conditions across browser tabs, and handle edge cases like page reloads during token refresh—without relying on localStorage or exposing sensitive auth logic. This approach works with NextAuth, not against it, and fills critical gaps until first-class support arrives.