Refresh jwt token for self-hosted app's ajax endpoint?

Here’s my setup:

  1. web pages at /dashboard/…
  2. some POST ajax endpoints at /dashboard/ajax/…

Everything with prefix /dashboard/ is protected by Zero Trust’s applications (e.g., a specific email has to login).


If we stay on a /dashboard/ web page for a long time (e.g., editing a long blog post), then POST ajax endpoints will be redirected to a url like, thus ajax requests would fail due to CORS errors. To my understanding, such redirection is to refresh jwt token (i.e., sending GET request to

Is there a way to proactively refresh jwt token?

One thought is you can change the session duration, on the overview page of the Access Application (the default is 24 hours).

Second thought, you’ll need to run something on the side:

  1. overwrite the current cookie
  2. have the user attempt to get something bogus
  3. follow the redirects, if there is a valid global session cookie you’ll get a new cookie, or be forced to login.