Add fauna db provider

fix: env to return custom access token script
fix: allow using cookie and header in case of validating jwt
2022-01-24 18:53:53 +05:30 · 2022-01-24 10:22:55 +05:30 · 2022-01-24 09:56:12 +05:30 · 2022-01-24 00:32:06 +05:30 · 2022-01-23 01:24:41 +05:30 · 2022-01-22 11:29:03 +05:30
66 changed files with 1733 additions and 664 deletions
--- a/TODO.md
+++ b/TODO.md
@@ -1,5 +1,16 @@
 # Task List

+## Implement better way of handling jwt tokens
+
+Check: https://hasura.io/blog/best-practices-of-using-jwt-with-graphql/#server-side-rendering-ssr
+
+- [x] Set finger print in response cookie (https://github.com/hasura/jwt-guide/blob/60a7a86146d604fc48a799fffdee712be1c52cd0/lib/setFingerprintCookieAndSignJwt.ts#L8)
+- [x] Save refresh token in session store
+- [x] refresh token should be made more secure with the help of secure token rotation. Every time new token is requested new refresh token should be generated
+- [x] Return jwt in response
+- [x] To get session send finger print and refresh token [if they are valid -> a new access token is generated and sent to user]
+- [x] Refresh token should be long living token (refresh token + finger print hash should be verified)
+
 ## Open ID compatible claims and schema

 - [x] Rename `schema.graphqls` and re generate schema
--- a/app/package-lock.json
+++ b/app/package-lock.json
@@ -5,19 +5,19 @@
 	"requires": true,
 	"dependencies": {
 		"@authorizerdev/authorizer-js": {
-			"version": "0.2.0",
-			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-js/-/authorizer-js-0.2.0.tgz",
-			"integrity": "sha512-T2gurEYEP1T56j9IwDIWP1PsELoWcU7TBl5G0UsMqFQhKo7T6p2hM634Z7PS1yLegU3aihuvHGI0C0n4xSo0VQ==",
+			"version": "0.2.1",
+			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-js/-/authorizer-js-0.2.1.tgz",
+			"integrity": "sha512-5lQlh+nc5xTsPongfTyCSX24A1WESu/BjhmZwUNuScEOGady0qPoDHE3RBf46dpi5v05wbHCDN1IFEalX5zssQ==",
 			"requires": {
 				"node-fetch": "^2.6.1"
 			}
 		},
 		"@authorizerdev/authorizer-react": {
-			"version": "0.4.0",
-			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-react/-/authorizer-react-0.4.0.tgz",
-			"integrity": "sha512-ydE7xrP3cqeTtU923bK0+OIB1fnL0VHnbThcNa41n89XUPV3VBhZ23gxMg90nqon8JFE5g2TNz7+/qBCOQ7aZw==",
+			"version": "0.4.3",
+			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-react/-/authorizer-react-0.4.3.tgz",
+			"integrity": "sha512-o/wWe9zZ3ARYdjbDfhGfvOxe1YQrE1YQ+UN9pcq85YSDkbfBkOfcnJ4YxlxWdL0Obd/ErDIeQ3vskyrfvRf3sA==",
 			"requires": {
-				"@authorizerdev/authorizer-js": "^0.2.0",
+				"@authorizerdev/authorizer-js": "^0.2.1",
 				"final-form": "^4.20.2",
 				"react-final-form": "^6.5.3",
 				"styled-components": "^5.3.0"
@@ -32,11 +32,11 @@
 			}
 		},
 		"@babel/generator": {
-			"version": "7.16.7",
-			"resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.16.7.tgz",
-			"integrity": "sha512-/ST3Sg8MLGY5HVYmrjOgL60ENux/HfO/CsUh7y4MalThufhE/Ff/6EibFDHi4jiDCaWfJKoqbE6oTh21c5hrRg==",
+			"version": "7.16.8",
+			"resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.16.8.tgz",
+			"integrity": "sha512-1ojZwE9+lOXzcWdWmO6TbUzDfqLD39CmEhN8+2cX9XkDo5yW1OpgfejfliysR2AWLpMamTiOiAp/mtroaymhpw==",
 			"requires": {
-				"@babel/types": "^7.16.7",
+				"@babel/types": "^7.16.8",
 				"jsesc": "^2.5.1",
 				"source-map": "^0.5.0"
 			}
@@ -105,9 +105,9 @@
 			"integrity": "sha512-hsEnFemeiW4D08A5gUAZxLBTXpZ39P+a+DGDsHw1yxqyQ/jzFEnxf5uTEGp+3bzAbNOxU1paTgYS4ECU/IgfDw=="
 		},
 		"@babel/highlight": {
-			"version": "7.16.7",
-			"resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.16.7.tgz",
-			"integrity": "sha512-aKpPMfLvGO3Q97V0qhw/V2SWNWlwfJknuwAunU7wZLSfrM4xTBvg7E5opUVi1kJTBKihE38CPg4nBiqX83PWYw==",
+			"version": "7.16.10",
+			"resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.16.10.tgz",
+			"integrity": "sha512-5FnTQLSLswEj6IkgVw5KusNUUFY9ZGqe/TRFnP/BKYHYgfh7tc+C7mwiy95/yNP7Dh9x580Vv8r7u7ZfTBFxdw==",
 			"requires": {
 				"@babel/helper-validator-identifier": "^7.16.7",
 				"chalk": "^2.0.0",
@@ -115,9 +115,9 @@
 			}
 		},
 		"@babel/parser": {
-			"version": "7.16.7",
-			"resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.16.7.tgz",
-			"integrity": "sha512-sR4eaSrnM7BV7QPzGfEX5paG/6wrZM3I0HDzfIAK06ESvo9oy3xBuVBxE3MbQaKNhvg8g/ixjMWo2CGpzpHsDA=="
+			"version": "7.16.12",
+			"resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.16.12.tgz",
+			"integrity": "sha512-VfaV15po8RiZssrkPweyvbGVSe4x2y+aciFCgn0n0/SJMR22cwofRV1mtnJQYcSB1wUTaA/X1LnA3es66MCO5A=="
 		},
 		"@babel/runtime": {
 			"version": "7.14.8",
@@ -138,26 +138,26 @@
 			}
 		},
 		"@babel/traverse": {
-			"version": "7.16.7",
-			"resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.16.7.tgz",
-			"integrity": "sha512-8KWJPIb8c2VvY8AJrydh6+fVRo2ODx1wYBU2398xJVq0JomuLBZmVQzLPBblJgHIGYG4znCpUZUZ0Pt2vdmVYQ==",
+			"version": "7.16.10",
+			"resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.16.10.tgz",
+			"integrity": "sha512-yzuaYXoRJBGMlBhsMJoUW7G1UmSb/eXr/JHYM/MsOJgavJibLwASijW7oXBdw3NQ6T0bW7Ty5P/VarOs9cHmqw==",
 			"requires": {
 				"@babel/code-frame": "^7.16.7",
-				"@babel/generator": "^7.16.7",
+				"@babel/generator": "^7.16.8",
 				"@babel/helper-environment-visitor": "^7.16.7",
 				"@babel/helper-function-name": "^7.16.7",
 				"@babel/helper-hoist-variables": "^7.16.7",
 				"@babel/helper-split-export-declaration": "^7.16.7",
-				"@babel/parser": "^7.16.7",
-				"@babel/types": "^7.16.7",
+				"@babel/parser": "^7.16.10",
+				"@babel/types": "^7.16.8",
 				"debug": "^4.1.0",
 				"globals": "^11.1.0"
 			}
 		},
 		"@babel/types": {
-			"version": "7.16.7",
-			"resolved": "https://registry.npmjs.org/@babel/types/-/types-7.16.7.tgz",
-			"integrity": "sha512-E8HuV7FO9qLpx6OtoGfUQ2cjIYnbFwvZWYBS+87EwtdMvmUPJSwykpovFB+8insbpF0uJcpr8KMUi64XZntZcg==",
+			"version": "7.16.8",
+			"resolved": "https://registry.npmjs.org/@babel/types/-/types-7.16.8.tgz",
+			"integrity": "sha512-smN2DQc5s4M7fntyjGtyIPbRJv6wW4rU/94fmYJ7PKQuZkC0qGMHXJbg6sNGt12JmVr4k5YaptI/XtiLJBnmIg==",
 			"requires": {
 				"@babel/helper-validator-identifier": "^7.16.7",
 				"to-fast-properties": "^2.0.0"
@@ -420,9 +420,9 @@
 			"integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
 		},
 		"node-fetch": {
-			"version": "2.6.6",
-			"resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.6.tgz",
-			"integrity": "sha512-Z8/6vRlTUChSdIgMa51jxQ4lrw/Jy5SOW10ObaA47/RElsAN2c5Pn8bTgFGWn/ibwzXTE8qwr1Yzx28vsecXEA==",
+			"version": "2.6.7",
+			"resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.7.tgz",
+			"integrity": "sha512-ZjMPFEfVx5j+y2yF35Kzx5sF7kDzxuDj6ziH4FFbOp87zKDZNx8yExJIb05OGF4Nlt9IHFIMBkRl41VdvcNdbQ==",
 			"requires": {
 				"whatwg-url": "^5.0.0"
 			}
--- a/server/constants/db_types.go
+++ b/server/constants/db_types.go
@@ -13,4 +13,6 @@ const (
 	DbTypeArangodb = "arangodb"
 	// DbTypeMongodb is the mongodb database type
 	DbTypeMongodb = "mongodb"
+	// DbTypeFaunadb is the faunadb database type
+	DbTypeFaunadb = "faunadb"
 )
--- a/server/cookie/admin_cookie.go
+++ b/server/cookie/admin_cookie.go
@@ -0,0 +1,44 @@
+package cookie
+
+import (
+	"net/url"
+
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/envstore"
+	"github.com/authorizerdev/authorizer/server/utils"
+	"github.com/gin-gonic/gin"
+)
+
+// SetAdminCookie sets the admin cookie in the response
+func SetAdminCookie(gc *gin.Context, token string) {
+	secure := true
+	httpOnly := true
+	host, _ := utils.GetHostParts(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL))
+
+	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), token, 3600, "/", host, secure, httpOnly)
+}
+
+// GetAdminCookie gets the admin cookie from the request
+func GetAdminCookie(gc *gin.Context) (string, error) {
+	cookie, err := gc.Request.Cookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName))
+	if err != nil {
+		return "", err
+	}
+
+	// cookie escapes special characters like $
+	// hence we need to unescape before comparing
+	decodedValue, err := url.QueryUnescape(cookie.Value)
+	if err != nil {
+		return "", err
+	}
+	return decodedValue, nil
+}
+
+// DeleteAdminCookie sets the response cookie to empty
+func DeleteAdminCookie(gc *gin.Context) {
+	secure := true
+	httpOnly := true
+	host, _ := utils.GetHostParts(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL))
+
+	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), "", -1, "/", host, secure, httpOnly)
+}
--- a/server/cookie/cookie.go
+++ b/server/cookie/cookie.go
@@ -0,0 +1,101 @@
+package cookie
+
+import (
+	"net/http"
+	"net/url"
+
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/envstore"
+	"github.com/authorizerdev/authorizer/server/utils"
+	"github.com/gin-gonic/gin"
+)
+
+// SetCookie sets the cookie in the response. It sets 4 cookies
+// 1 COOKIE_NAME.access_token jwt token for the host (temp.abc.com)
+// 2 COOKIE_NAME.access_token.domain jwt token for the domain (abc.com).
+// 3 COOKIE_NAME.fingerprint fingerprint hash for the refresh token verification.
+// 4 COOKIE_NAME.refresh_token refresh token
+// Note all sites don't allow 2nd type of cookie
+func SetCookie(gc *gin.Context, accessToken, refreshToken, fingerprintHash string) {
+	secure := true
+	httpOnly := true
+	host, _ := utils.GetHostParts(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL))
+	domain := utils.GetDomainName(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL))
+	if domain != "localhost" {
+		domain = "." + domain
+	}
+
+	year := 60 * 60 * 24 * 365
+	thirtyMin := 60 * 30
+
+	gc.SetSameSite(http.SameSiteNoneMode)
+	// set cookie for host
+	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token", accessToken, thirtyMin, "/", host, secure, httpOnly)
+
+	// in case of subdomain, set cookie for domain
+	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token.domain", accessToken, thirtyMin, "/", domain, secure, httpOnly)
+
+	// set finger print cookie (this should be accessed via cookie only)
+	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".fingerprint", fingerprintHash, year, "/", host, secure, httpOnly)
+
+	// set refresh token cookie (this should be accessed via cookie only)
+	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".refresh_token", refreshToken, year, "/", host, secure, httpOnly)
+}
+
+// GetAccessTokenCookie to get access token cookie from the request
+func GetAccessTokenCookie(gc *gin.Context) (string, error) {
+	cookie, err := gc.Request.Cookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName) + ".access_token")
+	if err != nil {
+		cookie, err = gc.Request.Cookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName) + ".access_token.domain")
+		if err != nil {
+			return "", err
+		}
+	}
+
+	return cookie.Value, nil
+}
+
+// GetRefreshTokenCookie to get refresh token cookie
+func GetRefreshTokenCookie(gc *gin.Context) (string, error) {
+	cookie, err := gc.Request.Cookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName) + ".refresh_token")
+	if err != nil {
+		return "", err
+	}
+
+	return cookie.Value, nil
+}
+
+// GetFingerPrintCookie to get fingerprint cookie
+func GetFingerPrintCookie(gc *gin.Context) (string, error) {
+	cookie, err := gc.Request.Cookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName) + ".fingerprint")
+	if err != nil {
+		return "", err
+	}
+
+	// cookie escapes special characters like $
+	// hence we need to unescape before comparing
+	decodedValue, err := url.QueryUnescape(cookie.Value)
+	if err != nil {
+		return "", err
+	}
+
+	return decodedValue, nil
+}
+
+// DeleteCookie sets response cookies to expire
+func DeleteCookie(gc *gin.Context) {
+	secure := true
+	httpOnly := true
+
+	host, _ := utils.GetHostParts(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL))
+	domain := utils.GetDomainName(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL))
+	if domain != "localhost" {
+		domain = "." + domain
+	}
+
+	gc.SetSameSite(http.SameSiteNoneMode)
+	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token", "", -1, "/", host, secure, httpOnly)
+	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token.domain", "", -1, "/", domain, secure, httpOnly)
+	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".fingerprint", "", -1, "/", host, secure, httpOnly)
+	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".refresh_token", "", -1, "/", host, secure, httpOnly)
+}
--- a/server/db/db.go
+++ b/server/db/db.go
@@ -6,6 +6,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/db/providers"
 	"github.com/authorizerdev/authorizer/server/db/providers/arangodb"
+	"github.com/authorizerdev/authorizer/server/db/providers/faunadb"
 	"github.com/authorizerdev/authorizer/server/db/providers/mongodb"
 	"github.com/authorizerdev/authorizer/server/db/providers/sql"
 	"github.com/authorizerdev/authorizer/server/envstore"
@@ -17,9 +18,10 @@ var Provider providers.Provider
 func InitDB() {
 	var err error

-	isSQL := envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseType) != constants.DbTypeArangodb && envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseType) != constants.DbTypeMongodb
+	isSQL := envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseType) != constants.DbTypeArangodb && envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseType) != constants.DbTypeMongodb && envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseType) != constants.DbTypeFaunadb
 	isArangoDB := envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseType) == constants.DbTypeArangodb
 	isMongoDB := envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseType) == constants.DbTypeMongodb
+	isFaunaDB := envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseType) == constants.DbTypeFaunadb

 	if isSQL {
 		Provider, err = sql.NewProvider()
@@ -41,4 +43,11 @@ func InitDB() {
 			log.Fatal("=> error setting arangodb provider:", err)
 		}
 	}
+
+	if isFaunaDB {
+		Provider, err = faunadb.NewProvider()
+		if err != nil {
+			log.Fatal("=> error setting arangodb provider:", err)
+		}
+	}
 }
--- a/server/db/models/user.go
+++ b/server/db/models/user.go
@@ -1,5 +1,11 @@
 package models

+import (
+	"strings"
+
+	"github.com/authorizerdev/authorizer/server/graph/model"
+)
+
 // User model for db
 type User struct {
 	Key string `json:"_key,omitempty" bson:"_key"` // for arangodb
@@ -22,3 +28,27 @@ type User struct {
 	UpdatedAt             int64   `gorm:"autoUpdateTime" json:"updated_at" bson:"updated_at"`
 	CreatedAt             int64   `gorm:"autoCreateTime" json:"created_at" bson:"created_at"`
 }
+
+func (user *User) AsAPIUser() *model.User {
+	isEmailVerified := user.EmailVerifiedAt != nil
+	isPhoneVerified := user.PhoneNumberVerifiedAt != nil
+	return &model.User{
+		ID:                  user.ID,
+		Email:               user.Email,
+		EmailVerified:       isEmailVerified,
+		SignupMethods:       user.SignupMethods,
+		GivenName:           user.GivenName,
+		FamilyName:          user.FamilyName,
+		MiddleName:          user.MiddleName,
+		Nickname:            user.Nickname,
+		PreferredUsername:   &user.Email,
+		Gender:              user.Gender,
+		Birthdate:           user.Birthdate,
+		PhoneNumber:         user.PhoneNumber,
+		PhoneNumberVerified: &isPhoneVerified,
+		Picture:             user.Picture,
+		Roles:               strings.Split(user.Roles, ","),
+		CreatedAt:           &user.CreatedAt,
+		UpdatedAt:           &user.UpdatedAt,
+	}
+}
--- a/server/db/providers/faunadb/env.go
+++ b/server/db/providers/faunadb/env.go
@@ -0,0 +1,51 @@
+package faunadb
+
+import (
+	"log"
+	"time"
+
+	f "github.com/fauna/faunadb-go/v5/faunadb"
+	"github.com/google/uuid"
+
+	"github.com/authorizerdev/authorizer/server/db/models"
+)
+
+// AddEnv to save environment information in database
+func (p *provider) AddEnv(env models.Env) (models.Env, error) {
+	if env.ID == "" {
+		env.ID = uuid.New().String()
+		env.Key = env.ID
+	}
+
+	env.CreatedAt = time.Now().Unix()
+	env.UpdatedAt = time.Now().Unix()
+
+	_, err := p.db.Query(
+		f.Create(
+			f.Collection(models.Collections.Env),
+			f.Obj{
+				"data": env,
+			},
+		),
+	)
+	if err != nil {
+		log.Println("error adding env:", err)
+		return env, err
+	}
+
+	return env, nil
+}
+
+// UpdateEnv to update environment information in database
+func (p *provider) UpdateEnv(env models.Env) (models.Env, error) {
+	env.UpdatedAt = time.Now().Unix()
+
+	return env, nil
+}
+
+// GetEnv to get environment information from database
+func (p *provider) GetEnv() (models.Env, error) {
+	var env models.Env
+
+	return env, nil
+}
--- a/server/db/providers/faunadb/faunadb.go
+++ b/server/db/providers/faunadb/faunadb.go
@@ -0,0 +1,164 @@
+package faunadb
+
+import (
+	"errors"
+	"log"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/db/models"
+	"github.com/authorizerdev/authorizer/server/envstore"
+	f "github.com/fauna/faunadb-go/v5/faunadb"
+)
+
+type provider struct {
+	db *f.FaunaClient
+}
+
+// NewProvider returns a new faunadb provider
+func NewProvider() (*provider, error) {
+	secret := ""
+	dbURL := "https://db.fauna.com"
+
+	// secret,url is stored in DATABASE_URL
+	dbURLSplit := strings.Split(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseURL), ":")
+	secret = dbURLSplit[0]
+
+	if len(dbURLSplit) > 1 {
+		dbURL = dbURLSplit[1]
+	}
+
+	client := f.NewFaunaClient(secret, f.Endpoint(dbURL))
+	if client == nil {
+		return nil, errors.New("failed to create faunadb client")
+	}
+
+	_, err := client.Query(
+		f.CreateCollection(f.Obj{"name": models.Collections.Env}))
+	if err != nil {
+		log.Println("error:", err)
+	}
+
+	_, err = client.Query(
+		f.CreateIndex(
+			f.Obj{
+				"name":   "env_id",
+				"source": f.Collection(models.Collections.Env),
+				"values": "_id",
+				"unique": true,
+			}))
+	if err != nil {
+		log.Println("error:", err)
+	}
+
+	_, err = client.Query(
+		f.CreateIndex(
+			f.Obj{
+				"name":   "env_key",
+				"source": f.Collection(models.Collections.Env),
+				"values": "_key",
+				"unique": true,
+			}))
+	if err != nil {
+		log.Println("error:", err)
+	}
+
+	_, err = client.Query(
+		f.CreateCollection(f.Obj{"name": models.Collections.User}))
+	if err != nil {
+		log.Println("error:", err)
+	}
+
+	_, err = client.Query(
+		f.CreateIndex(
+			f.Obj{
+				"name":   "_id",
+				"source": f.Collection(models.Collections.User),
+				"unique": true,
+			}))
+	if err != nil {
+		log.Println("error:", err)
+	}
+
+	_, err = client.Query(
+		f.CreateIndex(
+			f.Obj{
+				"name":   "_key",
+				"source": f.Collection(models.Collections.User),
+				"unique": true,
+			}))
+	if err != nil {
+		log.Println("error:", err)
+	}
+
+	_, err = client.Query(
+		f.CreateIndex(
+			f.Obj{
+				"name":   "email",
+				"source": f.Collection(models.Collections.User),
+				"unique": true,
+			}))
+	if err != nil {
+		log.Println("error:", err)
+	}
+
+	_, err = client.Query(
+		f.CreateCollection(f.Obj{"name": models.Collections.Session}))
+	if err != nil {
+		log.Println("error:", err)
+	}
+
+	_, err = client.Query(
+		f.CreateIndex(
+			f.Obj{
+				"name":   "_id",
+				"source": f.Collection(models.Collections.Session),
+				"unique": true,
+			}))
+	if err != nil {
+		log.Println("error:", err)
+	}
+
+	_, err = client.Query(
+		f.CreateIndex(
+			f.Obj{
+				"name":   "_key",
+				"source": f.Collection(models.Collections.Session),
+				"unique": true,
+			}))
+	if err != nil {
+		log.Println("error:", err)
+	}
+
+	_, err = client.Query(
+		f.CreateCollection(f.Obj{"name": models.Collections.VerificationRequest}))
+	if err != nil {
+		log.Println("error:", err)
+	}
+
+	_, err = client.Query(
+		f.CreateIndex(
+			f.Obj{
+				"name":   "_id",
+				"source": f.Collection(models.Collections.VerificationRequest),
+				"unique": true,
+			}))
+	if err != nil {
+		log.Println("error:", err)
+	}
+
+	_, err = client.Query(
+		f.CreateIndex(
+			f.Obj{
+				"name":   "_key",
+				"source": f.Collection(models.Collections.VerificationRequest),
+				"unique": true,
+			}))
+	if err != nil {
+		log.Println("error:", err)
+	}
+
+	return &provider{
+		db: client,
+	}, nil
+}
--- a/server/db/providers/faunadb/session.go
+++ b/server/db/providers/faunadb/session.go
@@ -0,0 +1,25 @@
+package faunadb
+
+import (
+	"time"
+
+	"github.com/authorizerdev/authorizer/server/db/models"
+	"github.com/google/uuid"
+)
+
+// AddSession to save session information in database
+func (p *provider) AddSession(session models.Session) error {
+	if session.ID == "" {
+		session.ID = uuid.New().String()
+	}
+
+	session.CreatedAt = time.Now().Unix()
+	session.UpdatedAt = time.Now().Unix()
+
+	return nil
+}
+
+// DeleteSession to delete session information from database
+func (p *provider) DeleteSession(userId string) error {
+	return nil
+}
--- a/server/db/providers/faunadb/user.go
+++ b/server/db/providers/faunadb/user.go
@@ -0,0 +1,60 @@
+package faunadb
+
+import (
+	"strings"
+	"time"
+
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/db/models"
+	"github.com/authorizerdev/authorizer/server/envstore"
+	"github.com/google/uuid"
+)
+
+// AddUser to save user information in database
+func (p *provider) AddUser(user models.User) (models.User, error) {
+	if user.ID == "" {
+		user.ID = uuid.New().String()
+	}
+
+	if user.Roles == "" {
+		user.Roles = strings.Join(envstore.EnvInMemoryStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles), ",")
+	}
+
+	user.CreatedAt = time.Now().Unix()
+	user.UpdatedAt = time.Now().Unix()
+
+	return user, nil
+}
+
+// UpdateUser to update user information in database
+func (p *provider) UpdateUser(user models.User) (models.User, error) {
+	user.UpdatedAt = time.Now().Unix()
+
+	return user, nil
+}
+
+// DeleteUser to delete user information from database
+func (p *provider) DeleteUser(user models.User) error {
+	return nil
+}
+
+// ListUsers to get list of users from database
+func (p *provider) ListUsers() ([]models.User, error) {
+	var users []models.User
+
+	return users, nil
+}
+
+// GetUserByEmail to get user information from database using email address
+func (p *provider) GetUserByEmail(email string) (models.User, error) {
+	var user models.User
+
+	return user, nil
+}
+
+// GetUserByID to get user information from database using user ID
+func (p *provider) GetUserByID(id string) (models.User, error) {
+	var user models.User
+
+	return user, nil
+}
--- a/server/db/providers/faunadb/verification_requests.go
+++ b/server/db/providers/faunadb/verification_requests.go
@@ -0,0 +1,46 @@
+package faunadb
+
+import (
+	"time"
+
+	"github.com/authorizerdev/authorizer/server/db/models"
+	"github.com/google/uuid"
+)
+
+// AddVerification to save verification request in database
+func (p *provider) AddVerificationRequest(verificationRequest models.VerificationRequest) (models.VerificationRequest, error) {
+	if verificationRequest.ID == "" {
+		verificationRequest.ID = uuid.New().String()
+	}
+
+	verificationRequest.CreatedAt = time.Now().Unix()
+	verificationRequest.UpdatedAt = time.Now().Unix()
+
+	return verificationRequest, nil
+}
+
+// GetVerificationRequestByToken to get verification request from database using token
+func (p *provider) GetVerificationRequestByToken(token string) (models.VerificationRequest, error) {
+	var verificationRequest models.VerificationRequest
+
+	return verificationRequest, nil
+}
+
+// GetVerificationRequestByEmail to get verification request by email from database
+func (p *provider) GetVerificationRequestByEmail(email string, identifier string) (models.VerificationRequest, error) {
+	var verificationRequest models.VerificationRequest
+
+	return verificationRequest, nil
+}
+
+// ListVerificationRequests to get list of verification requests from database
+func (p *provider) ListVerificationRequests() ([]models.VerificationRequest, error) {
+	var verificationRequests []models.VerificationRequest
+
+	return verificationRequests, nil
+}
+
+// DeleteVerificationRequest to delete verification request from database
+func (p *provider) DeleteVerificationRequest(verificationRequest models.VerificationRequest) error {
+	return nil
+}
--- a/server/env/env.go
+++ b/server/env/env.go
@@ -12,16 +12,6 @@ import (
 	"github.com/joho/godotenv"
 )

-// TODO move this to env store
-var (
-	// ARG_DB_URL is the cli arg variable for the database url
-	ARG_DB_URL *string
-	// ARG_DB_TYPE is the cli arg variable for the database type
-	ARG_DB_TYPE *string
-	// ARG_ENV_FILE is the cli arg variable for the env file
-	ARG_ENV_FILE *string
-)
-
 // InitEnv to initialize EnvData and through error if required env are not present
 func InitEnv() {
 	// get clone of current store
@@ -51,8 +41,8 @@ func InitEnv() {
 		envData.StringEnv[constants.EnvKeyEnvPath] = `.env`
 	}

-	if ARG_ENV_FILE != nil && *ARG_ENV_FILE != "" {
-		envData.StringEnv[constants.EnvKeyEnvPath] = *ARG_ENV_FILE
+	if envstore.ARG_ENV_FILE != nil && *envstore.ARG_ENV_FILE != "" {
+		envData.StringEnv[constants.EnvKeyEnvPath] = *envstore.ARG_ENV_FILE
 	}

 	err := godotenv.Load(envData.StringEnv[constants.EnvKeyEnvPath])
@@ -74,8 +64,8 @@ func InitEnv() {
 	if envData.StringEnv[constants.EnvKeyDatabaseType] == "" {
 		envData.StringEnv[constants.EnvKeyDatabaseType] = os.Getenv("DATABASE_TYPE")

-		if ARG_DB_TYPE != nil && *ARG_DB_TYPE != "" {
-			envData.StringEnv[constants.EnvKeyDatabaseType] = *ARG_DB_TYPE
+		if envstore.ARG_DB_TYPE != nil && *envstore.ARG_DB_TYPE != "" {
+			envData.StringEnv[constants.EnvKeyDatabaseType] = *envstore.ARG_DB_TYPE
 		}

 		if envData.StringEnv[constants.EnvKeyDatabaseType] == "" {
@@ -86,8 +76,8 @@ func InitEnv() {
 	if envData.StringEnv[constants.EnvKeyDatabaseURL] == "" {
 		envData.StringEnv[constants.EnvKeyDatabaseURL] = os.Getenv("DATABASE_URL")

-		if ARG_DB_URL != nil && *ARG_DB_URL != "" {
-			envData.StringEnv[constants.EnvKeyDatabaseURL] = *ARG_DB_URL
+		if envstore.ARG_DB_URL != nil && *envstore.ARG_DB_URL != "" {
+			envData.StringEnv[constants.EnvKeyDatabaseURL] = *envstore.ARG_DB_URL
 		}

 		if envData.StringEnv[constants.EnvKeyDatabaseURL] == "" {
--- a/server/envstore/store.go
+++ b/server/envstore/store.go
@@ -6,6 +6,15 @@ import (
 	"github.com/authorizerdev/authorizer/server/constants"
 )

+var (
+	// ARG_DB_URL is the cli arg variable for the database url
+	ARG_DB_URL *string
+	// ARG_DB_TYPE is the cli arg variable for the database type
+	ARG_DB_TYPE *string
+	// ARG_ENV_FILE is the cli arg variable for the env file
+	ARG_ENV_FILE *string
+)
+
 // Store data structure
 type Store struct {
 	StringEnv map[string]string   `json:"string_env"`
--- a/server/go.mod
+++ b/server/go.mod
@@ -6,6 +6,7 @@ require (
 	github.com/99designs/gqlgen v0.14.0
 	github.com/arangodb/go-driver v1.2.1
 	github.com/coreos/go-oidc/v3 v3.1.0
+	github.com/fauna/faunadb-go/v5 v5.0.0-beta // indirect
 	github.com/gin-contrib/location v0.0.2
 	github.com/gin-gonic/gin v1.7.2
 	github.com/go-playground/validator/v10 v10.8.0 // indirect
--- a/server/go.sum
+++ b/server/go.sum
@@ -79,6 +79,8 @@ github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymF
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/fauna/faunadb-go/v5 v5.0.0-beta h1:qjig7OPEsDPH/DJuHWIrOboreYd5aLQnSCzLgHDpnck=
+github.com/fauna/faunadb-go/v5 v5.0.0-beta/go.mod h1:eoEA8JUERBnzK5/8Rxnetzx326ImTZ8c++wi2GQwrEU=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
@@ -456,6 +458,7 @@ golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81R
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210614182718-04defd469f4e h1:XpT3nA5TvE525Ne3hInMh6+GETgn27Zfm9dxsThnX2Q=
 golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
--- a/server/graph/generated/generated.go
+++ b/server/graph/generated/generated.go
@@ -56,6 +56,7 @@ type ComplexityRoot struct {
 		AppURL                     func(childComplexity int) int
 		AuthorizerURL              func(childComplexity int) int
 		CookieName                 func(childComplexity int) int
+		CustomAccessTokenScript    func(childComplexity int) int
 		DatabaseName               func(childComplexity int) int
 		DatabaseType               func(childComplexity int) int
 		DatabaseURL                func(childComplexity int) int
@@ -122,9 +123,10 @@ type ComplexityRoot struct {
 	Query struct {
 		AdminSession         func(childComplexity int) int
 		Env                  func(childComplexity int) int
+		IsValidJwt           func(childComplexity int, params *model.IsValidJWTQueryInput) int
 		Meta                 func(childComplexity int) int
 		Profile              func(childComplexity int) int
-		Session              func(childComplexity int, roles []string) int
+		Session              func(childComplexity int, params *model.SessionQueryInput) int
 		Users                func(childComplexity int) int
 		VerificationRequests func(childComplexity int) int
 	}
@@ -153,6 +155,11 @@ type ComplexityRoot struct {
 		UpdatedAt           func(childComplexity int) int
 	}

+	ValidJWTResponse struct {
+		Message func(childComplexity int) int
+		Valid   func(childComplexity int) int
+	}
+
 	VerificationRequest struct {
 		CreatedAt  func(childComplexity int) int
 		Email      func(childComplexity int) int
@@ -183,7 +190,8 @@ type MutationResolver interface {
 }
 type QueryResolver interface {
 	Meta(ctx context.Context) (*model.Meta, error)
-	Session(ctx context.Context, roles []string) (*model.AuthResponse, error)
+	Session(ctx context.Context, params *model.SessionQueryInput) (*model.AuthResponse, error)
+	IsValidJwt(ctx context.Context, params *model.IsValidJWTQueryInput) (*model.ValidJWTResponse, error)
 	Profile(ctx context.Context) (*model.User, error)
 	Users(ctx context.Context) ([]*model.User, error)
 	VerificationRequests(ctx context.Context) ([]*model.VerificationRequest, error)
@@ -269,6 +277,13 @@ func (e *executableSchema) Complexity(typeName, field string, childComplexity in

 		return e.complexity.Env.CookieName(childComplexity), true

+	case "Env.CUSTOM_ACCESS_TOKEN_SCRIPT":
+		if e.complexity.Env.CustomAccessTokenScript == nil {
+			break
+		}
+
+		return e.complexity.Env.CustomAccessTokenScript(childComplexity), true
+
 	case "Env.DATABASE_NAME":
 		if e.complexity.Env.DatabaseName == nil {
 			break
@@ -712,6 +727,18 @@ func (e *executableSchema) Complexity(typeName, field string, childComplexity in

 		return e.complexity.Query.Env(childComplexity), true

+	case "Query.is_valid_jwt":
+		if e.complexity.Query.IsValidJwt == nil {
+			break
+		}
+
+		args, err := ec.field_Query_is_valid_jwt_args(context.TODO(), rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Query.IsValidJwt(childComplexity, args["params"].(*model.IsValidJWTQueryInput)), true
+
 	case "Query.meta":
 		if e.complexity.Query.Meta == nil {
 			break
@@ -736,7 +763,7 @@ func (e *executableSchema) Complexity(typeName, field string, childComplexity in
 			return 0, false
 		}

-		return e.complexity.Query.Session(childComplexity, args["roles"].([]string)), true
+		return e.complexity.Query.Session(childComplexity, args["params"].(*model.SessionQueryInput)), true

 	case "Query._users":
 		if e.complexity.Query.Users == nil {
@@ -878,6 +905,20 @@ func (e *executableSchema) Complexity(typeName, field string, childComplexity in

 		return e.complexity.User.UpdatedAt(childComplexity), true

+	case "ValidJWTResponse.message":
+		if e.complexity.ValidJWTResponse.Message == nil {
+			break
+		}
+
+		return e.complexity.ValidJWTResponse.Message(childComplexity), true
+
+	case "ValidJWTResponse.valid":
+		if e.complexity.ValidJWTResponse.Valid == nil {
+			break
+		}
+
+		return e.complexity.ValidJWTResponse.Valid(childComplexity), true
+
 	case "VerificationRequest.created_at":
 		if e.complexity.VerificationRequest.CreatedAt == nil {
 			break
@@ -1055,11 +1096,17 @@ type Response {
 	message: String!
 }

+type ValidJWTResponse {
+	valid: Boolean!
+	message: String!
+}
+
 type Env {
 	ADMIN_SECRET: String
-	DATABASE_TYPE: String
-	DATABASE_URL: String
 	DATABASE_NAME: String
+	DATABASE_URL: String
+	DATABASE_TYPE: String
+	CUSTOM_ACCESS_TOKEN_SCRIPT: String
 	SMTP_HOST: String
 	SMTP_PORT: String
 	SMTP_USERNAME: String
@@ -1093,10 +1140,8 @@ type Env {

 input UpdateEnvInput {
 	ADMIN_SECRET: String
+	CUSTOM_ACCESS_TOKEN_SCRIPT: String
 	OLD_ADMIN_SECRET: String
-	DATABASE_TYPE: String
-	DATABASE_URL: String
-	DATABASE_NAME: String
 	SMTP_HOST: String
 	SMTP_PORT: String
 	SENDER_EMAIL: String
@@ -1214,6 +1259,15 @@ input MagicLinkLoginInput {
 	roles: [String!]
 }

+input SessionQueryInput {
+	roles: [String!]
+}
+
+input IsValidJWTQueryInput {
+	jwt: String
+	roles: [String!]
+}
+
 type Mutation {
 	signup(params: SignUpInput!): AuthResponse!
 	login(params: LoginInput!): AuthResponse!
@@ -1235,7 +1289,8 @@ type Mutation {

 type Query {
 	meta: Meta!
-	session(roles: [String!]): AuthResponse!
+	session(params: SessionQueryInput): AuthResponse!
+	is_valid_jwt(params: IsValidJWTQueryInput): ValidJWTResponse!
 	profile: User!
 	# admin only apis
 	_users: [User!]!
@@ -1461,18 +1516,33 @@ func (ec *executionContext) field_Query___type_args(ctx context.Context, rawArgs
 	return args, nil
 }

-func (ec *executionContext) field_Query_session_args(ctx context.Context, rawArgs map[string]interface{}) (map[string]interface{}, error) {
+func (ec *executionContext) field_Query_is_valid_jwt_args(ctx context.Context, rawArgs map[string]interface{}) (map[string]interface{}, error) {
 	var err error
 	args := map[string]interface{}{}
-	var arg0 []string
-	if tmp, ok := rawArgs["roles"]; ok {
-		ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
-		arg0, err = ec.unmarshalOString2ᚕstringᚄ(ctx, tmp)
+	var arg0 *model.IsValidJWTQueryInput
+	if tmp, ok := rawArgs["params"]; ok {
+		ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+		arg0, err = ec.unmarshalOIsValidJWTQueryInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋserverᚋgraphᚋmodelᚐIsValidJWTQueryInput(ctx, tmp)
 		if err != nil {
 			return nil, err
 		}
 	}
-	args["roles"] = arg0
+	args["params"] = arg0
+	return args, nil
+}
+
+func (ec *executionContext) field_Query_session_args(ctx context.Context, rawArgs map[string]interface{}) (map[string]interface{}, error) {
+	var err error
+	args := map[string]interface{}{}
+	var arg0 *model.SessionQueryInput
+	if tmp, ok := rawArgs["params"]; ok {
+		ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+		arg0, err = ec.unmarshalOSessionQueryInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋserverᚋgraphᚋmodelᚐSessionQueryInput(ctx, tmp)
+		if err != nil {
+			return nil, err
+		}
+	}
+	args["params"] = arg0
 	return args, nil
 }

@@ -1677,7 +1747,7 @@ func (ec *executionContext) _Env_ADMIN_SECRET(ctx context.Context, field graphql
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }

-func (ec *executionContext) _Env_DATABASE_TYPE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+func (ec *executionContext) _Env_DATABASE_NAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
 	defer func() {
 		if r := recover(); r != nil {
 			ec.Error(ctx, ec.Recover(ctx, r))
@@ -1695,7 +1765,7 @@ func (ec *executionContext) _Env_DATABASE_TYPE(ctx context.Context, field graphq
 	ctx = graphql.WithFieldContext(ctx, fc)
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (interface{}, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DatabaseType, nil
+		return obj.DatabaseName, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -1741,7 +1811,7 @@ func (ec *executionContext) _Env_DATABASE_URL(ctx context.Context, field graphql
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }

-func (ec *executionContext) _Env_DATABASE_NAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+func (ec *executionContext) _Env_DATABASE_TYPE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
 	defer func() {
 		if r := recover(); r != nil {
 			ec.Error(ctx, ec.Recover(ctx, r))
@@ -1759,7 +1829,39 @@ func (ec *executionContext) _Env_DATABASE_NAME(ctx context.Context, field graphq
 	ctx = graphql.WithFieldContext(ctx, fc)
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (interface{}, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DatabaseName, nil
+		return obj.DatabaseType, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) _Env_CUSTOM_ACCESS_TOKEN_SCRIPT(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	fc := &graphql.FieldContext{
+		Object:     "Env",
+		Field:      field,
+		Args:       nil,
+		IsMethod:   false,
+		IsResolver: false,
+	}
+
+	ctx = graphql.WithFieldContext(ctx, fc)
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (interface{}, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.CustomAccessTokenScript, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -3692,7 +3794,7 @@ func (ec *executionContext) _Query_session(ctx context.Context, field graphql.Co
 	fc.Args = args
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (interface{}, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().Session(rctx, args["roles"].([]string))
+		return ec.resolvers.Query().Session(rctx, args["params"].(*model.SessionQueryInput))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -3709,6 +3811,48 @@ func (ec *executionContext) _Query_session(ctx context.Context, field graphql.Co
 	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋserverᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
 }

+func (ec *executionContext) _Query_is_valid_jwt(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	fc := &graphql.FieldContext{
+		Object:     "Query",
+		Field:      field,
+		Args:       nil,
+		IsMethod:   true,
+		IsResolver: true,
+	}
+
+	ctx = graphql.WithFieldContext(ctx, fc)
+	rawArgs := field.ArgumentMap(ec.Variables)
+	args, err := ec.field_Query_is_valid_jwt_args(ctx, rawArgs)
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	fc.Args = args
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (interface{}, error) {
+		ctx = rctx // use context from middleware stack in children
+		return ec.resolvers.Query().IsValidJwt(rctx, args["params"].(*model.IsValidJWTQueryInput))
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(*model.ValidJWTResponse)
+	fc.Result = res
+	return ec.marshalNValidJWTResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋserverᚋgraphᚋmodelᚐValidJWTResponse(ctx, field.Selections, res)
+}
+
 func (ec *executionContext) _Query_profile(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
 	defer func() {
 		if r := recover(); r != nil {
@@ -4549,6 +4693,76 @@ func (ec *executionContext) _User_updated_at(ctx context.Context, field graphql.
 	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }

+func (ec *executionContext) _ValidJWTResponse_valid(ctx context.Context, field graphql.CollectedField, obj *model.ValidJWTResponse) (ret graphql.Marshaler) {
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	fc := &graphql.FieldContext{
+		Object:     "ValidJWTResponse",
+		Field:      field,
+		Args:       nil,
+		IsMethod:   false,
+		IsResolver: false,
+	}
+
+	ctx = graphql.WithFieldContext(ctx, fc)
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (interface{}, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Valid, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(bool)
+	fc.Result = res
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) _ValidJWTResponse_message(ctx context.Context, field graphql.CollectedField, obj *model.ValidJWTResponse) (ret graphql.Marshaler) {
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	fc := &graphql.FieldContext{
+		Object:     "ValidJWTResponse",
+		Field:      field,
+		Args:       nil,
+		IsMethod:   false,
+		IsResolver: false,
+	}
+
+	ctx = graphql.WithFieldContext(ctx, fc)
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (interface{}, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Message, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(string)
+	fc.Result = res
+	return ec.marshalNString2string(ctx, field.Selections, res)
+}
+
 func (ec *executionContext) _VerificationRequest_id(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
 	defer func() {
 		if r := recover(); r != nil {
@@ -5990,6 +6204,37 @@ func (ec *executionContext) unmarshalInputForgotPasswordInput(ctx context.Contex
 	return it, nil
 }

+func (ec *executionContext) unmarshalInputIsValidJWTQueryInput(ctx context.Context, obj interface{}) (model.IsValidJWTQueryInput, error) {
+	var it model.IsValidJWTQueryInput
+	asMap := map[string]interface{}{}
+	for k, v := range obj.(map[string]interface{}) {
+		asMap[k] = v
+	}
+
+	for k, v := range asMap {
+		switch k {
+		case "jwt":
+			var err error
+
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("jwt"))
+			it.Jwt, err = ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+		case "roles":
+			var err error
+
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
+			it.Roles, err = ec.unmarshalOString2ᚕstringᚄ(ctx, v)
+			if err != nil {
+				return it, err
+			}
+		}
+	}
+
+	return it, nil
+}
+
 func (ec *executionContext) unmarshalInputLoginInput(ctx context.Context, obj interface{}) (model.LoginInput, error) {
 	var it model.LoginInput
 	asMap := map[string]interface{}{}
@@ -6130,6 +6375,29 @@ func (ec *executionContext) unmarshalInputResetPasswordInput(ctx context.Context
 	return it, nil
 }

+func (ec *executionContext) unmarshalInputSessionQueryInput(ctx context.Context, obj interface{}) (model.SessionQueryInput, error) {
+	var it model.SessionQueryInput
+	asMap := map[string]interface{}{}
+	for k, v := range obj.(map[string]interface{}) {
+		asMap[k] = v
+	}
+
+	for k, v := range asMap {
+		switch k {
+		case "roles":
+			var err error
+
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
+			it.Roles, err = ec.unmarshalOString2ᚕstringᚄ(ctx, v)
+			if err != nil {
+				return it, err
+			}
+		}
+	}
+
+	return it, nil
+}
+
 func (ec *executionContext) unmarshalInputSignUpInput(ctx context.Context, obj interface{}) (model.SignUpInput, error) {
 	var it model.SignUpInput
 	asMap := map[string]interface{}{}
@@ -6258,6 +6526,14 @@ func (ec *executionContext) unmarshalInputUpdateEnvInput(ctx context.Context, ob
 			if err != nil {
 				return it, err
 			}
+		case "CUSTOM_ACCESS_TOKEN_SCRIPT":
+			var err error
+
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("CUSTOM_ACCESS_TOKEN_SCRIPT"))
+			it.CustomAccessTokenScript, err = ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
 		case "OLD_ADMIN_SECRET":
 			var err error

@@ -6266,30 +6542,6 @@ func (ec *executionContext) unmarshalInputUpdateEnvInput(ctx context.Context, ob
 			if err != nil {
 				return it, err
 			}
-		case "DATABASE_TYPE":
-			var err error
-
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DATABASE_TYPE"))
-			it.DatabaseType, err = ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-		case "DATABASE_URL":
-			var err error
-
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DATABASE_URL"))
-			it.DatabaseURL, err = ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-		case "DATABASE_NAME":
-			var err error
-
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DATABASE_NAME"))
-			it.DatabaseName, err = ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
 		case "SMTP_HOST":
 			var err error

@@ -6819,12 +7071,14 @@ func (ec *executionContext) _Env(ctx context.Context, sel ast.SelectionSet, obj
 			out.Values[i] = graphql.MarshalString("Env")
 		case "ADMIN_SECRET":
 			out.Values[i] = ec._Env_ADMIN_SECRET(ctx, field, obj)
-		case "DATABASE_TYPE":
-			out.Values[i] = ec._Env_DATABASE_TYPE(ctx, field, obj)
-		case "DATABASE_URL":
-			out.Values[i] = ec._Env_DATABASE_URL(ctx, field, obj)
 		case "DATABASE_NAME":
 			out.Values[i] = ec._Env_DATABASE_NAME(ctx, field, obj)
+		case "DATABASE_URL":
+			out.Values[i] = ec._Env_DATABASE_URL(ctx, field, obj)
+		case "DATABASE_TYPE":
+			out.Values[i] = ec._Env_DATABASE_TYPE(ctx, field, obj)
+		case "CUSTOM_ACCESS_TOKEN_SCRIPT":
+			out.Values[i] = ec._Env_CUSTOM_ACCESS_TOKEN_SCRIPT(ctx, field, obj)
 		case "SMTP_HOST":
 			out.Values[i] = ec._Env_SMTP_HOST(ctx, field, obj)
 		case "SMTP_PORT":
@@ -7127,6 +7381,20 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 				}
 				return res
 			})
+		case "is_valid_jwt":
+			field := field
+			out.Concurrently(i, func() (res graphql.Marshaler) {
+				defer func() {
+					if r := recover(); r != nil {
+						ec.Error(ctx, ec.Recover(ctx, r))
+					}
+				}()
+				res = ec._Query_is_valid_jwt(ctx, field)
+				if res == graphql.Null {
+					atomic.AddUint32(&invalids, 1)
+				}
+				return res
+			})
 		case "profile":
 			field := field
 			out.Concurrently(i, func() (res graphql.Marshaler) {
@@ -7310,6 +7578,38 @@ func (ec *executionContext) _User(ctx context.Context, sel ast.SelectionSet, obj
 	return out
 }

+var validJWTResponseImplementors = []string{"ValidJWTResponse"}
+
+func (ec *executionContext) _ValidJWTResponse(ctx context.Context, sel ast.SelectionSet, obj *model.ValidJWTResponse) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, validJWTResponseImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	var invalids uint32
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("ValidJWTResponse")
+		case "valid":
+			out.Values[i] = ec._ValidJWTResponse_valid(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				invalids++
+			}
+		case "message":
+			out.Values[i] = ec._ValidJWTResponse_message(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				invalids++
+			}
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
+		}
+	}
+	out.Dispatch()
+	if invalids > 0 {
+		return graphql.Null
+	}
+	return out
+}
+
 var verificationRequestImplementors = []string{"VerificationRequest"}

 func (ec *executionContext) _VerificationRequest(ctx context.Context, sel ast.SelectionSet, obj *model.VerificationRequest) graphql.Marshaler {
@@ -7854,6 +8154,20 @@ func (ec *executionContext) marshalNUser2ᚖgithubᚗcomᚋauthorizerdevᚋautho
 	return ec._User(ctx, sel, v)
 }

+func (ec *executionContext) marshalNValidJWTResponse2githubᚗcomᚋauthorizerdevᚋauthorizerᚋserverᚋgraphᚋmodelᚐValidJWTResponse(ctx context.Context, sel ast.SelectionSet, v model.ValidJWTResponse) graphql.Marshaler {
+	return ec._ValidJWTResponse(ctx, sel, &v)
+}
+
+func (ec *executionContext) marshalNValidJWTResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋserverᚋgraphᚋmodelᚐValidJWTResponse(ctx context.Context, sel ast.SelectionSet, v *model.ValidJWTResponse) graphql.Marshaler {
+	if v == nil {
+		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	return ec._ValidJWTResponse(ctx, sel, v)
+}
+
 func (ec *executionContext) marshalNVerificationRequest2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋserverᚋgraphᚋmodelᚐVerificationRequestᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.VerificationRequest) graphql.Marshaler {
 	ret := make(graphql.Array, len(v))
 	var wg sync.WaitGroup
@@ -8209,6 +8523,22 @@ func (ec *executionContext) marshalOInt642ᚖint64(ctx context.Context, sel ast.
 	return graphql.MarshalInt64(*v)
 }

+func (ec *executionContext) unmarshalOIsValidJWTQueryInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋserverᚋgraphᚋmodelᚐIsValidJWTQueryInput(ctx context.Context, v interface{}) (*model.IsValidJWTQueryInput, error) {
+	if v == nil {
+		return nil, nil
+	}
+	res, err := ec.unmarshalInputIsValidJWTQueryInput(ctx, v)
+	return &res, graphql.ErrorOnPath(ctx, err)
+}
+
+func (ec *executionContext) unmarshalOSessionQueryInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋserverᚋgraphᚋmodelᚐSessionQueryInput(ctx context.Context, v interface{}) (*model.SessionQueryInput, error) {
+	if v == nil {
+		return nil, nil
+	}
+	res, err := ec.unmarshalInputSessionQueryInput(ctx, v)
+	return &res, graphql.ErrorOnPath(ctx, err)
+}
+
 func (ec *executionContext) unmarshalOString2string(ctx context.Context, v interface{}) (string, error) {
 	res, err := graphql.UnmarshalString(v)
 	return res, graphql.ErrorOnPath(ctx, err)
--- a/server/graph/model/models_gen.go
+++ b/server/graph/model/models_gen.go
@@ -23,9 +23,10 @@ type DeleteUserInput struct {

 type Env struct {
 	AdminSecret                *string  `json:"ADMIN_SECRET"`
-	DatabaseType               *string  `json:"DATABASE_TYPE"`
-	DatabaseURL                *string  `json:"DATABASE_URL"`
 	DatabaseName               *string  `json:"DATABASE_NAME"`
+	DatabaseURL                *string  `json:"DATABASE_URL"`
+	DatabaseType               *string  `json:"DATABASE_TYPE"`
+	CustomAccessTokenScript    *string  `json:"CUSTOM_ACCESS_TOKEN_SCRIPT"`
 	SMTPHost                   *string  `json:"SMTP_HOST"`
 	SMTPPort                   *string  `json:"SMTP_PORT"`
 	SMTPUsername               *string  `json:"SMTP_USERNAME"`
@@ -66,6 +67,11 @@ type ForgotPasswordInput struct {
 	Email string `json:"email"`
 }

+type IsValidJWTQueryInput struct {
+	Jwt   *string  `json:"jwt"`
+	Roles []string `json:"roles"`
+}
+
 type LoginInput struct {
 	Email    string   `json:"email"`
 	Password string   `json:"password"`
@@ -102,6 +108,10 @@ type Response struct {
 	Message string `json:"message"`
 }

+type SessionQueryInput struct {
+	Roles []string `json:"roles"`
+}
+
 type SignUpInput struct {
 	Email           string   `json:"email"`
 	GivenName       *string  `json:"given_name"`
@@ -119,10 +129,8 @@ type SignUpInput struct {

 type UpdateEnvInput struct {
 	AdminSecret                *string  `json:"ADMIN_SECRET"`
+	CustomAccessTokenScript    *string  `json:"CUSTOM_ACCESS_TOKEN_SCRIPT"`
 	OldAdminSecret             *string  `json:"OLD_ADMIN_SECRET"`
-	DatabaseType               *string  `json:"DATABASE_TYPE"`
-	DatabaseURL                *string  `json:"DATABASE_URL"`
-	DatabaseName               *string  `json:"DATABASE_NAME"`
 	SMTPHost                   *string  `json:"SMTP_HOST"`
 	SMTPPort                   *string  `json:"SMTP_PORT"`
 	SenderEmail                *string  `json:"SENDER_EMAIL"`
@@ -203,6 +211,11 @@ type User struct {
 	UpdatedAt           *int64   `json:"updated_at"`
 }

+type ValidJWTResponse struct {
+	Valid   bool   `json:"valid"`
+	Message string `json:"message"`
+}
+
 type VerificationRequest struct {
 	ID         string  `json:"id"`
 	Identifier *string `json:"identifier"`
--- a/server/graph/schema.graphqls
+++ b/server/graph/schema.graphqls
@@ -62,11 +62,17 @@ type Response {
 	message: String!
 }

+type ValidJWTResponse {
+	valid: Boolean!
+	message: String!
+}
+
 type Env {
 	ADMIN_SECRET: String
-	DATABASE_TYPE: String
-	DATABASE_URL: String
 	DATABASE_NAME: String
+	DATABASE_URL: String
+	DATABASE_TYPE: String
+	CUSTOM_ACCESS_TOKEN_SCRIPT: String
 	SMTP_HOST: String
 	SMTP_PORT: String
 	SMTP_USERNAME: String
@@ -100,10 +106,8 @@ type Env {

 input UpdateEnvInput {
 	ADMIN_SECRET: String
+	CUSTOM_ACCESS_TOKEN_SCRIPT: String
 	OLD_ADMIN_SECRET: String
-	DATABASE_TYPE: String
-	DATABASE_URL: String
-	DATABASE_NAME: String
 	SMTP_HOST: String
 	SMTP_PORT: String
 	SENDER_EMAIL: String
@@ -221,6 +225,15 @@ input MagicLinkLoginInput {
 	roles: [String!]
 }

+input SessionQueryInput {
+	roles: [String!]
+}
+
+input IsValidJWTQueryInput {
+	jwt: String
+	roles: [String!]
+}
+
 type Mutation {
 	signup(params: SignUpInput!): AuthResponse!
 	login(params: LoginInput!): AuthResponse!
@@ -242,7 +255,8 @@ type Mutation {

 type Query {
 	meta: Meta!
-	session(roles: [String!]): AuthResponse!
+	session(params: SessionQueryInput): AuthResponse!
+	is_valid_jwt(params: IsValidJWTQueryInput): ValidJWTResponse!
 	profile: User!
 	# admin only apis
 	_users: [User!]!
--- a/server/graph/schema.resolvers.go
+++ b/server/graph/schema.resolvers.go
@@ -75,8 +75,12 @@ func (r *queryResolver) Meta(ctx context.Context) (*model.Meta, error) {
 	return resolvers.MetaResolver(ctx)
 }

-func (r *queryResolver) Session(ctx context.Context, roles []string) (*model.AuthResponse, error) {
-	return resolvers.SessionResolver(ctx, roles)
+func (r *queryResolver) Session(ctx context.Context, params *model.SessionQueryInput) (*model.AuthResponse, error) {
+	return resolvers.SessionResolver(ctx, params)
+}
+
+func (r *queryResolver) IsValidJwt(ctx context.Context, params *model.IsValidJWTQueryInput) (*model.ValidJWTResponse, error) {
+	return resolvers.IsValidJwtResolver(ctx, params)
 }

 func (r *queryResolver) Profile(ctx context.Context) (*model.User, error) {
--- a/server/handlers/oauth_callback.go
+++ b/server/handlers/oauth_callback.go
@@ -11,11 +11,13 @@ import (
 	"time"

 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/oauth"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/gin-gonic/gin"
@@ -28,11 +30,11 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 		provider := c.Param("oauth_provider")
 		state := c.Request.FormValue("state")

-		sessionState := session.GetSocailLoginState(state)
+		sessionState := sessionstore.GetSocailLoginState(state)
 		if sessionState == "" {
 			c.JSON(400, gin.H{"error": "invalid oauth state"})
 		}
-		session.RemoveSocialLoginState(state)
+		sessionstore.RemoveSocialLoginState(state)
 		// contains random token, redirect url, role
 		sessionSplit := strings.Split(state, "___")

@@ -135,12 +137,10 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 		}

 		user, _ = db.Provider.GetUserByEmail(user.Email)
-		userIdStr := fmt.Sprintf("%v", user.ID)
-		refreshToken, _, _ := utils.CreateAuthToken(user, constants.TokenTypeRefreshToken, inputRoles)

-		accessToken, _, _ := utils.CreateAuthToken(user, constants.TokenTypeAccessToken, inputRoles)
-		utils.SetCookie(c, accessToken)
-		session.SetUserSession(userIdStr, accessToken, refreshToken)
+		authToken, _ := token.CreateAuthToken(user, inputRoles)
+		sessionstore.SetUserSession(user.ID, authToken.FingerPrint, authToken.RefreshToken.Token)
+		cookie.SetCookie(c, authToken.AccessToken.Token, authToken.RefreshToken.Token, authToken.FingerPrintHash)
 		utils.SaveSessionInDB(user.ID, c)

 		c.Redirect(http.StatusTemporaryRedirect, redirectURL)
--- a/server/handlers/oauth_login.go
+++ b/server/handlers/oauth_login.go
@@ -7,7 +7,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/oauth"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
@@ -54,7 +54,7 @@ func OAuthLoginHandler() gin.HandlerFunc {
 				isProviderConfigured = false
 				break
 			}
-			session.SetSocailLoginState(oauthStateString, constants.SignupMethodGoogle)
+			sessionstore.SetSocailLoginState(oauthStateString, constants.SignupMethodGoogle)
 			// during the init of OAuthProvider authorizer url might be empty
 			oauth.OAuthProviders.GoogleConfig.RedirectURL = envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL) + "/oauth_callback/google"
 			url := oauth.OAuthProviders.GoogleConfig.AuthCodeURL(oauthStateString)
@@ -64,7 +64,7 @@ func OAuthLoginHandler() gin.HandlerFunc {
 				isProviderConfigured = false
 				break
 			}
-			session.SetSocailLoginState(oauthStateString, constants.SignupMethodGithub)
+			sessionstore.SetSocailLoginState(oauthStateString, constants.SignupMethodGithub)
 			oauth.OAuthProviders.GithubConfig.RedirectURL = envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL) + "/oauth_callback/github"
 			url := oauth.OAuthProviders.GithubConfig.AuthCodeURL(oauthStateString)
 			c.Redirect(http.StatusTemporaryRedirect, url)
@@ -73,7 +73,7 @@ func OAuthLoginHandler() gin.HandlerFunc {
 				isProviderConfigured = false
 				break
 			}
-			session.SetSocailLoginState(oauthStateString, constants.SignupMethodFacebook)
+			sessionstore.SetSocailLoginState(oauthStateString, constants.SignupMethodFacebook)
 			oauth.OAuthProviders.FacebookConfig.RedirectURL = envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL) + "/oauth_callback/facebook"
 			url := oauth.OAuthProviders.FacebookConfig.AuthCodeURL(oauthStateString)
 			c.Redirect(http.StatusTemporaryRedirect, url)
--- a/server/handlers/verify_email.go
+++ b/server/handlers/verify_email.go
@@ -5,9 +5,10 @@ import (
 	"strings"
 	"time"

-	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/gin-gonic/gin"
 )
@@ -19,20 +20,20 @@ func VerifyEmailHandler() gin.HandlerFunc {
 		errorRes := gin.H{
 			"message": "invalid token",
 		}
-		token := c.Query("token")
-		if token == "" {
+		tokenInQuery := c.Query("token")
+		if tokenInQuery == "" {
 			c.JSON(400, errorRes)
 			return
 		}

-		verificationRequest, err := db.Provider.GetVerificationRequestByToken(token)
+		verificationRequest, err := db.Provider.GetVerificationRequestByToken(tokenInQuery)
 		if err != nil {
 			c.JSON(400, errorRes)
 			return
 		}

 		// verify if token exists in db
-		claim, err := utils.VerifyVerificationToken(token)
+		claim, err := token.VerifyVerificationToken(tokenInQuery)
 		if err != nil {
 			c.JSON(400, errorRes)
 			return
@@ -56,13 +57,17 @@ func VerifyEmailHandler() gin.HandlerFunc {
 		db.Provider.DeleteVerificationRequest(verificationRequest)

 		roles := strings.Split(user.Roles, ",")
-		refreshToken, _, _ := utils.CreateAuthToken(user, constants.TokenTypeRefreshToken, roles)
-
-		accessToken, _, _ := utils.CreateAuthToken(user, constants.TokenTypeAccessToken, roles)
-
-		session.SetUserSession(user.ID, accessToken, refreshToken)
+		authToken, err := token.CreateAuthToken(user, roles)
+		if err != nil {
+			c.JSON(400, gin.H{
+				"message": err.Error(),
+			})
+			return
+		}
+		sessionstore.SetUserSession(user.ID, authToken.FingerPrint, authToken.RefreshToken.Token)
+		cookie.SetCookie(c, authToken.AccessToken.Token, authToken.RefreshToken.Token, authToken.FingerPrintHash)
 		utils.SaveSessionInDB(user.ID, c)
-		utils.SetCookie(c, accessToken)
+
 		c.Redirect(http.StatusTemporaryRedirect, claim.RedirectURL)
 	}
 }
--- a/server/main.go
+++ b/server/main.go
@@ -9,15 +9,15 @@ import (
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/oauth"
 	"github.com/authorizerdev/authorizer/server/routes"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
 )

 var VERSION string

 func main() {
-	env.ARG_DB_URL = flag.String("database_url", "", "Database connection string")
-	env.ARG_DB_TYPE = flag.String("database_type", "", "Database type, possible values are postgres,mysql,sqlite")
-	env.ARG_ENV_FILE = flag.String("env_file", "", "Env file path")
+	envstore.ARG_DB_URL = flag.String("database_url", "", "Database connection string")
+	envstore.ARG_DB_TYPE = flag.String("database_type", "", "Database type, possible values are postgres,mysql,sqlite")
+	envstore.ARG_ENV_FILE = flag.String("env_file", "", "Env file path")
 	flag.Parse()

 	envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyVersion, VERSION)
@@ -26,7 +26,7 @@ func main() {
 	db.InitDB()
 	env.PersistEnv()

-	session.InitSession()
+	sessionstore.InitSession()
 	oauth.InitOAuth()

 	router := routes.InitRouter()
--- a/server/resolvers/admin_login.go
+++ b/server/resolvers/admin_login.go
@@ -5,6 +5,7 @@ import (
 	"fmt"

 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/utils"
@@ -28,7 +29,7 @@ func AdminLoginResolver(ctx context.Context, params model.AdminLoginInput) (*mod
 	if err != nil {
 		return res, err
 	}
-	utils.SetAdminCookie(gc, hashedKey)
+	cookie.SetAdminCookie(gc, hashedKey)

 	res = &model.Response{
 		Message: "admin logged in successfully",
--- a/server/resolvers/admin_logout.go
+++ b/server/resolvers/admin_logout.go
@@ -4,7 +4,9 @@ import (
 	"context"
 	"fmt"

+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )

@@ -17,11 +19,11 @@ func AdminLogoutResolver(ctx context.Context) (*model.Response, error) {
 		return res, err
 	}

-	if !utils.IsSuperAdmin(gc) {
+	if !token.IsSuperAdmin(gc) {
 		return res, fmt.Errorf("unauthorized")
 	}

-	utils.DeleteAdminCookie(gc)
+	cookie.DeleteAdminCookie(gc)

 	res = &model.Response{
 		Message: "admin logged out successfully",
--- a/server/resolvers/admin_session.go
+++ b/server/resolvers/admin_session.go
@@ -5,8 +5,10 @@ import (
 	"fmt"

 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )

@@ -19,7 +21,7 @@ func AdminSessionResolver(ctx context.Context) (*model.Response, error) {
 		return res, err
 	}

-	if !utils.IsSuperAdmin(gc) {
+	if !token.IsSuperAdmin(gc) {
 		return res, fmt.Errorf("unauthorized")
 	}

@@ -27,7 +29,7 @@ func AdminSessionResolver(ctx context.Context) (*model.Response, error) {
 	if err != nil {
 		return res, err
 	}
-	utils.SetAdminCookie(gc, hashedKey)
+	cookie.SetAdminCookie(gc, hashedKey)

 	res = &model.Response{
 		Message: "admin logged in successfully",
--- a/server/resolvers/admin_signup.go
+++ b/server/resolvers/admin_signup.go
@@ -7,6 +7,7 @@ import (
 	"strings"

 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
@@ -71,7 +72,7 @@ func AdminSignupResolver(ctx context.Context, params model.AdminSignupInput) (*m
 	if err != nil {
 		return res, err
 	}
-	utils.SetAdminCookie(gc, hashedKey)
+	cookie.SetAdminCookie(gc, hashedKey)

 	res = &model.Response{
 		Message: "admin signed up successfully",
--- a/server/resolvers/delete_user.go
+++ b/server/resolvers/delete_user.go
@@ -7,7 +7,8 @@ import (

 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/graph/model"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )

@@ -19,7 +20,7 @@ func DeleteUserResolver(ctx context.Context, params model.DeleteUserInput) (*mod
 		return res, err
 	}

-	if !utils.IsSuperAdmin(gc) {
+	if !token.IsSuperAdmin(gc) {
 		return res, fmt.Errorf("unauthorized")
 	}

@@ -28,7 +29,7 @@ func DeleteUserResolver(ctx context.Context, params model.DeleteUserInput) (*mod
 		return res, err
 	}

-	session.DeleteAllUserSession(fmt.Sprintf("%x", user.ID))
+	sessionstore.DeleteAllUserSession(fmt.Sprintf("%x", user.ID))

 	err = db.Provider.DeleteUser(user)
 	if err != nil {
--- a/server/resolvers/env.go
+++ b/server/resolvers/env.go
@@ -7,6 +7,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )

@@ -20,16 +21,17 @@ func EnvResolver(ctx context.Context) (*model.Env, error) {
 		return res, err
 	}

-	if !utils.IsSuperAdmin(gc) {
+	if !token.IsSuperAdmin(gc) {
 		return res, fmt.Errorf("unauthorized")
 	}

 	// get clone of store
 	store := envstore.EnvInMemoryStoreObj.GetEnvStoreClone()
 	adminSecret := store.StringEnv[constants.EnvKeyAdminSecret]
-	databaseType := store.StringEnv[constants.EnvKeyDatabaseType]
 	databaseURL := store.StringEnv[constants.EnvKeyDatabaseURL]
 	databaseName := store.StringEnv[constants.EnvKeyDatabaseName]
+	databaseType := store.StringEnv[constants.EnvKeyDatabaseType]
+	customAccessTokenScript := store.StringEnv[constants.EnvKeyCustomAccessTokenScript]
 	smtpHost := store.StringEnv[constants.EnvKeySmtpHost]
 	smtpPort := store.StringEnv[constants.EnvKeySmtpPort]
 	smtpUsername := store.StringEnv[constants.EnvKeySmtpUsername]
@@ -62,9 +64,10 @@ func EnvResolver(ctx context.Context) (*model.Env, error) {

 	res = &model.Env{
 		AdminSecret:                &adminSecret,
-		DatabaseType:               &databaseType,
-		DatabaseURL:                &databaseURL,
 		DatabaseName:               &databaseName,
+		DatabaseURL:                &databaseURL,
+		DatabaseType:               &databaseType,
+		CustomAccessTokenScript:    &customAccessTokenScript,
 		SMTPHost:                   &smtpHost,
 		SMTPPort:                   &smtpPort,
 		SMTPPassword:               &smtpPassword,
--- a/server/resolvers/forgot_password.go
+++ b/server/resolvers/forgot_password.go
@@ -13,6 +13,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/email"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )

@@ -38,12 +39,12 @@ func ForgotPasswordResolver(ctx context.Context, params model.ForgotPasswordInpu
 		return res, fmt.Errorf(`user with this email not found`)
 	}

-	token, err := utils.CreateVerificationToken(params.Email, constants.VerificationTypeForgotPassword)
+	verificationToken, err := token.CreateVerificationToken(params.Email, constants.VerificationTypeForgotPassword)
 	if err != nil {
 		log.Println(`error generating token`, err)
 	}
 	db.Provider.AddVerificationRequest(models.VerificationRequest{
-		Token:      token,
+		Token:      verificationToken,
 		Identifier: constants.VerificationTypeForgotPassword,
 		ExpiresAt:  time.Now().Add(time.Minute * 30).Unix(),
 		Email:      params.Email,
@@ -51,7 +52,7 @@ func ForgotPasswordResolver(ctx context.Context, params model.ForgotPasswordInpu

 	// exec it as go routin so that we can reduce the api latency
 	go func() {
-		email.SendForgotPasswordMail(params.Email, token, host)
+		email.SendForgotPasswordMail(params.Email, verificationToken, host)
 	}()

 	res = &model.Response{
--- a/server/resolvers/is_valid_jwt.go
+++ b/server/resolvers/is_valid_jwt.go
@@ -0,0 +1,52 @@
+package resolvers
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/envstore"
+	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
+	tokenHelper "github.com/authorizerdev/authorizer/server/token"
+	"github.com/authorizerdev/authorizer/server/utils"
+)
+
+// IsValidJwtResolver resolver to return if given jwt is valid
+func IsValidJwtResolver(ctx context.Context, params *model.IsValidJWTQueryInput) (*model.ValidJWTResponse, error) {
+	gc, err := utils.GinContextFromContext(ctx)
+	token, err := token.GetAccessToken(gc)
+
+	if token == "" || err != nil {
+		if params != nil && *params.Jwt != "" {
+			token = *params.Jwt
+		} else {
+			return nil, errors.New("no jwt provided via cookie / header / params")
+		}
+	}
+
+	claims, err := tokenHelper.VerifyJWTToken(token)
+	if err != nil {
+		return nil, err
+	}
+
+	claimRoleInterface := claims[envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtRoleClaim)].([]interface{})
+	claimRoles := []string{}
+	for _, v := range claimRoleInterface {
+		claimRoles = append(claimRoles, v.(string))
+	}
+
+	if params != nil && params.Roles != nil && len(params.Roles) > 0 {
+		for _, v := range params.Roles {
+			if !utils.StringSliceContains(claimRoles, v) {
+				return nil, fmt.Errorf(`unauthorized`)
+			}
+		}
+	}
+
+	return &model.ValidJWTResponse{
+		Valid:   true,
+		Message: "Valid JWT",
+	}, nil
+}
--- a/server/resolvers/login.go
+++ b/server/resolvers/login.go
@@ -7,10 +7,12 @@ import (
 	"strings"

 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"golang.org/x/crypto/bcrypt"
 )
@@ -56,21 +58,21 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes

 		roles = params.Roles
 	}
-	refreshToken, _, _ := utils.CreateAuthToken(user, constants.TokenTypeRefreshToken, roles)

-	accessToken, expiresAt, _ := utils.CreateAuthToken(user, constants.TokenTypeAccessToken, roles)
-
-	session.SetUserSession(user.ID, accessToken, refreshToken)
+	authToken, err := token.CreateAuthToken(user, roles)
+	if err != nil {
+		return res, err
+	}
+	sessionstore.SetUserSession(user.ID, authToken.FingerPrint, authToken.RefreshToken.Token)
+	cookie.SetCookie(gc, authToken.AccessToken.Token, authToken.RefreshToken.Token, authToken.FingerPrintHash)
 	utils.SaveSessionInDB(user.ID, gc)

 	res = &model.AuthResponse{
 		Message:     `Logged in successfully`,
-		AccessToken: &accessToken,
-		ExpiresAt:   &expiresAt,
-		User:        utils.GetResponseUserData(user),
+		AccessToken: &authToken.AccessToken.Token,
+		ExpiresAt:   &authToken.AccessToken.ExpiresAt,
+		User:        user.AsAPIUser(),
 	}

-	utils.SetCookie(gc, accessToken)
-
 	return res, nil
 }
--- a/server/resolvers/logout.go
+++ b/server/resolvers/logout.go
@@ -2,10 +2,11 @@ package resolvers

 import (
 	"context"
-	"fmt"

+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/graph/model"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )

@@ -17,22 +18,38 @@ func LogoutResolver(ctx context.Context) (*model.Response, error) {
 		return res, err
 	}

-	token, err := utils.GetAuthToken(gc)
+	// get refresh token
+	refreshToken, err := token.GetRefreshToken(gc)
 	if err != nil {
 		return res, err
 	}

-	claim, err := utils.VerifyAuthToken(token)
+	// get fingerprint hash
+	fingerprintHash, err := token.GetFingerPrint(gc)
 	if err != nil {
 		return res, err
 	}

-	userId := fmt.Sprintf("%v", claim["id"])
-	session.DeleteUserSession(userId, token)
+	decryptedFingerPrint, err := utils.DecryptAES([]byte(fingerprintHash))
+	if err != nil {
+		return res, err
+	}
+
+	fingerPrint := string(decryptedFingerPrint)
+
+	// verify refresh token and fingerprint
+	claims, err := token.VerifyJWTToken(refreshToken)
+	if err != nil {
+		return res, err
+	}
+
+	userID := claims["id"].(string)
+	sessionstore.DeleteUserSession(userID, fingerPrint)
+	cookie.DeleteCookie(gc)
+
 	res = &model.Response{
 		Message: "Logged out successfully",
 	}

-	utils.DeleteCookie(gc)
 	return res, nil
 }
--- a/server/resolvers/magic_link_login.go
+++ b/server/resolvers/magic_link_login.go
@@ -13,6 +13,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/email"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )

@@ -104,12 +105,12 @@ func MagicLinkLoginResolver(ctx context.Context, params model.MagicLinkLoginInpu
 	if !envstore.EnvInMemoryStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification) {
 		// insert verification request
 		verificationType := constants.VerificationTypeMagicLinkLogin
-		token, err := utils.CreateVerificationToken(params.Email, verificationType)
+		verificationToken, err := token.CreateVerificationToken(params.Email, verificationType)
 		if err != nil {
 			log.Println(`error generating token`, err)
 		}
 		db.Provider.AddVerificationRequest(models.VerificationRequest{
-			Token:      token,
+			Token:      verificationToken,
 			Identifier: verificationType,
 			ExpiresAt:  time.Now().Add(time.Minute * 30).Unix(),
 			Email:      params.Email,
@@ -117,7 +118,7 @@ func MagicLinkLoginResolver(ctx context.Context, params model.MagicLinkLoginInpu

 		// exec it as go routin so that we can reduce the api latency
 		go func() {
-			email.SendVerificationMail(params.Email, token)
+			email.SendVerificationMail(params.Email, verificationToken)
 		}()
 	}

--- a/server/resolvers/profile.go
+++ b/server/resolvers/profile.go
@@ -6,7 +6,7 @@ import (

 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/graph/model"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )

@@ -18,30 +18,17 @@ func ProfileResolver(ctx context.Context) (*model.User, error) {
 		return res, err
 	}

-	token, err := utils.GetAuthToken(gc)
+	claims, err := token.ValidateAccessToken(gc)
 	if err != nil {
 		return res, err
 	}

-	claim, err := utils.VerifyAuthToken(token)
+	userID := fmt.Sprintf("%v", claims["id"])
+
+	user, err := db.Provider.GetUserByID(userID)
 	if err != nil {
 		return res, err
 	}

-	userID := fmt.Sprintf("%v", claim["id"])
-	email := fmt.Sprintf("%v", claim["email"])
-	sessionToken := session.GetUserSession(userID, token)
-
-	if sessionToken == "" {
-		return res, fmt.Errorf(`unauthorized`)
-	}
-
-	user, err := db.Provider.GetUserByEmail(email)
-	if err != nil {
-		return res, err
-	}
-
-	res = utils.GetResponseUserData(user)
-
-	return res, nil
+	return user.AsAPIUser(), nil
 }
--- a/server/resolvers/resend_verify_email.go
+++ b/server/resolvers/resend_verify_email.go
@@ -11,6 +11,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/email"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )

@@ -38,12 +39,12 @@ func ResendVerifyEmailResolver(ctx context.Context, params model.ResendVerifyEma
 		log.Println("error deleting verification request:", err)
 	}

-	token, err := utils.CreateVerificationToken(params.Email, params.Identifier)
+	verificationToken, err := token.CreateVerificationToken(params.Email, params.Identifier)
 	if err != nil {
 		log.Println(`error generating token`, err)
 	}
 	db.Provider.AddVerificationRequest(models.VerificationRequest{
-		Token:      token,
+		Token:      verificationToken,
 		Identifier: params.Identifier,
 		ExpiresAt:  time.Now().Add(time.Minute * 30).Unix(),
 		Email:      params.Email,
@@ -51,7 +52,7 @@ func ResendVerifyEmailResolver(ctx context.Context, params model.ResendVerifyEma

 	// exec it as go routin so that we can reduce the api latency
 	go func() {
-		email.SendVerificationMail(params.Email, token)
+		email.SendVerificationMail(params.Email, verificationToken)
 	}()

 	res = &model.Response{
--- a/server/resolvers/reset_password.go
+++ b/server/resolvers/reset_password.go
@@ -10,6 +10,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )

@@ -30,7 +31,7 @@ func ResetPasswordResolver(ctx context.Context, params model.ResetPasswordInput)
 	}

 	// verify if token exists in db
-	claim, err := utils.VerifyVerificationToken(params.Token)
+	claim, err := token.VerifyVerificationToken(params.Token)
 	if err != nil {
 		return res, fmt.Errorf(`invalid token`)
 	}
--- a/server/resolvers/session.go
+++ b/server/resolvers/session.go
@@ -3,80 +3,92 @@ package resolvers
 import (
 	"context"
 	"fmt"
-	"time"

-	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
-	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )

 // SessionResolver is a resolver for session query
-func SessionResolver(ctx context.Context, roles []string) (*model.AuthResponse, error) {
+func SessionResolver(ctx context.Context, params *model.SessionQueryInput) (*model.AuthResponse, error) {
 	var res *model.AuthResponse

 	gc, err := utils.GinContextFromContext(ctx)
 	if err != nil {
 		return res, err
 	}
-	token, err := utils.GetAuthToken(gc)
+
+	// get refresh token
+	refreshToken, err := token.GetRefreshToken(gc)
 	if err != nil {
 		return res, err
 	}

-	claim, accessTokenErr := utils.VerifyAuthToken(token)
-	expiresAt := claim["exp"].(int64)
-	email := fmt.Sprintf("%v", claim["email"])
-
-	user, err := db.Provider.GetUserByEmail(email)
+	// get fingerprint hash
+	fingerprintHash, err := token.GetFingerPrint(gc)
 	if err != nil {
 		return res, err
 	}

-	userIdStr := fmt.Sprintf("%v", user.ID)
+	decryptedFingerPrint, err := utils.DecryptAES([]byte(fingerprintHash))
+	if err != nil {
+		return res, err
+	}

-	sessionToken := session.GetUserSession(userIdStr, token)
+	fingerPrint := string(decryptedFingerPrint)

-	if sessionToken == "" {
+	// verify refresh token and fingerprint
+	claims, err := token.VerifyJWTToken(refreshToken)
+	if err != nil {
+		return res, err
+	}
+
+	userID := claims["id"].(string)
+
+	persistedRefresh := sessionstore.GetUserSession(userID, fingerPrint)
+	if refreshToken != persistedRefresh {
 		return res, fmt.Errorf(`unauthorized`)
 	}

-	expiresTimeObj := time.Unix(expiresAt, 0)
-	currentTimeObj := time.Now()
-
-	claimRoleInterface := claim[envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtRoleClaim)].([]interface{})
-	claimRoles := make([]string, len(claimRoleInterface))
-	for i, v := range claimRoleInterface {
-		claimRoles[i] = v.(string)
+	user, err := db.Provider.GetUserByID(userID)
+	if err != nil {
+		return res, err
 	}

-	if len(roles) > 0 {
-		for _, v := range roles {
+	// refresh token has "roles" as claim
+	claimRoleInterface := claims["roles"].([]interface{})
+	claimRoles := []string{}
+	for _, v := range claimRoleInterface {
+		claimRoles = append(claimRoles, v.(string))
+	}
+
+	if params != nil && params.Roles != nil && len(params.Roles) > 0 {
+		for _, v := range params.Roles {
 			if !utils.StringSliceContains(claimRoles, v) {
 				return res, fmt.Errorf(`unauthorized`)
 			}
 		}
 	}

-	// TODO change this logic to make it more secure
-	if accessTokenErr != nil || expiresTimeObj.Sub(currentTimeObj).Minutes() <= 5 {
-		// if access token has expired and refresh/session token is valid
-		// generate new accessToken
-		currentRefreshToken := session.GetUserSession(userIdStr, token)
-		session.DeleteUserSession(userIdStr, token)
-		token, expiresAt, _ = utils.CreateAuthToken(user, constants.TokenTypeAccessToken, claimRoles)
-		session.SetUserSession(userIdStr, token, currentRefreshToken)
-		utils.SaveSessionInDB(user.ID, gc)
+	// delete older session
+	sessionstore.DeleteUserSession(userID, fingerPrint)
+
+	authToken, err := token.CreateAuthToken(user, claimRoles)
+	if err != nil {
+		return res, err
+	}
+	sessionstore.SetUserSession(user.ID, authToken.FingerPrint, authToken.RefreshToken.Token)
+	cookie.SetCookie(gc, authToken.AccessToken.Token, authToken.RefreshToken.Token, authToken.FingerPrintHash)
+
+	res = &model.AuthResponse{
+		Message:     `Session token refreshed`,
+		AccessToken: &authToken.AccessToken.Token,
+		ExpiresAt:   &authToken.AccessToken.ExpiresAt,
+		User:        user.AsAPIUser(),
 	}

-	utils.SetCookie(gc, token)
-	res = &model.AuthResponse{
-		Message:     `Token verified`,
-		AccessToken: &token,
-		ExpiresAt:   &expiresAt,
-		User:        utils.GetResponseUserData(user),
-	}
 	return res, nil
 }
--- a/server/resolvers/signup.go
+++ b/server/resolvers/signup.go
@@ -8,12 +8,14 @@ import (
 	"time"

 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/email"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )

@@ -114,19 +116,18 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 	if err != nil {
 		return res, err
 	}
-	userIdStr := fmt.Sprintf("%v", user.ID)
 	roles := strings.Split(user.Roles, ",")
-	userToReturn := utils.GetResponseUserData(user)
+	userToReturn := user.AsAPIUser()

 	if !envstore.EnvInMemoryStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification) {
 		// insert verification request
 		verificationType := constants.VerificationTypeBasicAuthSignup
-		token, err := utils.CreateVerificationToken(params.Email, verificationType)
+		verificationToken, err := token.CreateVerificationToken(params.Email, verificationType)
 		if err != nil {
 			log.Println(`error generating token`, err)
 		}
 		db.Provider.AddVerificationRequest(models.VerificationRequest{
-			Token:      token,
+			Token:      verificationToken,
 			Identifier: verificationType,
 			ExpiresAt:  time.Now().Add(time.Minute * 30).Unix(),
 			Email:      params.Email,
@@ -134,7 +135,7 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR

 		// exec it as go routin so that we can reduce the api latency
 		go func() {
-			email.SendVerificationMail(params.Email, token)
+			email.SendVerificationMail(params.Email, verificationToken)
 		}()

 		res = &model.AuthResponse{
@@ -143,20 +144,20 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 		}
 	} else {

-		refreshToken, _, _ := utils.CreateAuthToken(user, constants.TokenTypeRefreshToken, roles)
-
-		accessToken, expiresAt, _ := utils.CreateAuthToken(user, constants.TokenTypeAccessToken, roles)
-
-		session.SetUserSession(userIdStr, accessToken, refreshToken)
+		authToken, err := token.CreateAuthToken(user, roles)
+		if err != nil {
+			return res, err
+		}
+		sessionstore.SetUserSession(user.ID, authToken.FingerPrint, authToken.RefreshToken.Token)
+		cookie.SetCookie(gc, authToken.AccessToken.Token, authToken.RefreshToken.Token, authToken.FingerPrintHash)
 		utils.SaveSessionInDB(user.ID, gc)
+
 		res = &model.AuthResponse{
 			Message:     `Signed up successfully.`,
-			AccessToken: &accessToken,
-			ExpiresAt:   &expiresAt,
+			AccessToken: &authToken.AccessToken.Token,
+			ExpiresAt:   &authToken.AccessToken.ExpiresAt,
 			User:        userToReturn,
 		}
-
-		utils.SetCookie(gc, accessToken)
 	}

 	return res, nil
--- a/server/resolvers/update_env.go
+++ b/server/resolvers/update_env.go
@@ -9,9 +9,11 @@ import (
 	"reflect"

 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"golang.org/x/crypto/bcrypt"
 )
@@ -26,7 +28,7 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 		return res, err
 	}

-	if !utils.IsSuperAdmin(gc) {
+	if !token.IsSuperAdmin(gc) {
 		return res, fmt.Errorf("unauthorized")
 	}

@@ -74,6 +76,27 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 			updatedData.BoolEnv[constants.EnvKeyDisableMagicLinkLogin] = true
 		}
 	}
+
+	// check the roles change
+	if len(params.Roles) > 0 {
+		if len(params.DefaultRoles) > 0 {
+			// should be subset of roles
+			for _, role := range params.DefaultRoles {
+				if !utils.StringSliceContains(params.Roles, role) {
+					return res, fmt.Errorf("default role %s is not in roles", role)
+				}
+			}
+		}
+	}
+
+	if len(params.ProtectedRoles) > 0 {
+		for _, role := range params.ProtectedRoles {
+			if utils.StringSliceContains(params.Roles, role) || utils.StringSliceContains(params.DefaultRoles, role) {
+				return res, fmt.Errorf("protected role %s found roles or default roles", role)
+			}
+		}
+	}
+
 	// Update local store
 	envstore.EnvInMemoryStoreObj.UpdateEnvStore(updatedData)

@@ -88,11 +111,6 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 		return res, err
 	}

-	// in case of db change re-initialize db
-	if params.DatabaseType != nil || params.DatabaseURL != nil || params.DatabaseName != nil {
-		db.InitDB()
-	}
-
 	// in case of admin secret change update the cookie with new hash
 	if params.AdminSecret != nil {
 		if params.OldAdminSecret == nil {
@@ -108,7 +126,7 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 		if err != nil {
 			return res, err
 		}
-		utils.SetAdminCookie(gc, hashedKey)
+		cookie.SetAdminCookie(gc, hashedKey)
 	}

 	env.EnvData = encryptedConfig
--- a/server/resolvers/update_profile.go
+++ b/server/resolvers/update_profile.go
@@ -8,11 +8,13 @@ import (
 	"time"

 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/email"
 	"github.com/authorizerdev/authorizer/server/graph/model"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"golang.org/x/crypto/bcrypt"
 )
@@ -25,29 +27,17 @@ func UpdateProfileResolver(ctx context.Context, params model.UpdateProfileInput)
 		return res, err
 	}

-	token, err := utils.GetAuthToken(gc)
+	claims, err := token.ValidateAccessToken(gc)
 	if err != nil {
 		return res, err
 	}

-	claim, err := utils.VerifyAuthToken(token)
-	if err != nil {
-		return res, err
-	}
-
-	id := fmt.Sprintf("%v", claim["id"])
-	sessionToken := session.GetUserSession(id, token)
-
-	if sessionToken == "" {
-		return res, fmt.Errorf(`unauthorized`)
-	}
-
 	// validate if all params are not empty
 	if params.GivenName == nil && params.FamilyName == nil && params.Picture == nil && params.MiddleName == nil && params.Nickname == nil && params.OldPassword == nil && params.Email == nil && params.Birthdate == nil && params.Gender == nil && params.PhoneNumber == nil {
-		return res, fmt.Errorf("please enter atleast one param to update")
+		return res, fmt.Errorf("please enter at least one param to update")
 	}

-	userEmail := fmt.Sprintf("%v", claim["email"])
+	userEmail := fmt.Sprintf("%v", claims["email"])
 	user, err := db.Provider.GetUserByEmail(userEmail)
 	if err != nil {
 		return res, err
@@ -123,20 +113,20 @@ func UpdateProfileResolver(ctx context.Context, params model.UpdateProfileInput)
 			return res, fmt.Errorf("user with this email address already exists")
 		}

-		session.DeleteAllUserSession(fmt.Sprintf("%v", user.ID))
-		utils.DeleteCookie(gc)
+		sessionstore.DeleteAllUserSession(fmt.Sprintf("%v", user.ID))
+		cookie.DeleteCookie(gc)

 		user.Email = newEmail
 		user.EmailVerifiedAt = nil
 		hasEmailChanged = true
 		// insert verification request
 		verificationType := constants.VerificationTypeUpdateEmail
-		token, err := utils.CreateVerificationToken(newEmail, verificationType)
+		verificationToken, err := token.CreateVerificationToken(newEmail, verificationType)
 		if err != nil {
 			log.Println(`error generating token`, err)
 		}
 		db.Provider.AddVerificationRequest(models.VerificationRequest{
-			Token:      token,
+			Token:      verificationToken,
 			Identifier: verificationType,
 			ExpiresAt:  time.Now().Add(time.Minute * 30).Unix(),
 			Email:      newEmail,
@@ -144,7 +134,7 @@ func UpdateProfileResolver(ctx context.Context, params model.UpdateProfileInput)

 		// exec it as go routin so that we can reduce the api latency
 		go func() {
-			email.SendVerificationMail(newEmail, token)
+			email.SendVerificationMail(newEmail, verificationToken)
 		}()
 	}

--- a/server/resolvers/update_user.go
+++ b/server/resolvers/update_user.go
@@ -8,12 +8,14 @@ import (
 	"time"

 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/email"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )

@@ -26,7 +28,7 @@ func UpdateUserResolver(ctx context.Context, params model.UpdateUserInput) (*mod
 		return res, err
 	}

-	if !utils.IsSuperAdmin(gc) {
+	if !token.IsSuperAdmin(gc) {
 		return res, fmt.Errorf("unauthorized")
 	}

@@ -93,19 +95,19 @@ func UpdateUserResolver(ctx context.Context, params model.UpdateUserInput) (*mod
 			return res, fmt.Errorf("user with this email address already exists")
 		}

-		session.DeleteAllUserSession(fmt.Sprintf("%v", user.ID))
-		utils.DeleteCookie(gc)
+		sessionstore.DeleteAllUserSession(fmt.Sprintf("%v", user.ID))
+		cookie.DeleteCookie(gc)

 		user.Email = newEmail
 		user.EmailVerifiedAt = nil
 		// insert verification request
 		verificationType := constants.VerificationTypeUpdateEmail
-		token, err := utils.CreateVerificationToken(newEmail, verificationType)
+		verificationToken, err := token.CreateVerificationToken(newEmail, verificationType)
 		if err != nil {
 			log.Println(`error generating token`, err)
 		}
 		db.Provider.AddVerificationRequest(models.VerificationRequest{
-			Token:      token,
+			Token:      verificationToken,
 			Identifier: verificationType,
 			ExpiresAt:  time.Now().Add(time.Minute * 30).Unix(),
 			Email:      newEmail,
@@ -113,7 +115,7 @@ func UpdateUserResolver(ctx context.Context, params model.UpdateUserInput) (*mod

 		// exec it as go routin so that we can reduce the api latency
 		go func() {
-			email.SendVerificationMail(newEmail, token)
+			email.SendVerificationMail(newEmail, verificationToken)
 		}()
 	}

@@ -133,8 +135,8 @@ func UpdateUserResolver(ctx context.Context, params model.UpdateUserInput) (*mod
 			rolesToSave = strings.Join(inputRoles, ",")
 		}

-		session.DeleteAllUserSession(fmt.Sprintf("%v", user.ID))
-		utils.DeleteCookie(gc)
+		sessionstore.DeleteAllUserSession(fmt.Sprintf("%v", user.ID))
+		cookie.DeleteCookie(gc)
 	}

 	if rolesToSave != "" {
--- a/server/resolvers/users.go
+++ b/server/resolvers/users.go
@@ -6,6 +6,7 @@ import (

 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )

@@ -18,7 +19,7 @@ func UsersResolver(ctx context.Context) ([]*model.User, error) {
 		return res, err
 	}

-	if !utils.IsSuperAdmin(gc) {
+	if !token.IsSuperAdmin(gc) {
 		return res, fmt.Errorf("unauthorized")
 	}

@@ -28,7 +29,7 @@ func UsersResolver(ctx context.Context) ([]*model.User, error) {
 	}

 	for i := 0; i < len(users); i++ {
-		res = append(res, utils.GetResponseUserData(users[i]))
+		res = append(res, users[i].AsAPIUser())
 	}

 	return res, nil
--- a/server/resolvers/verification_requests.go
+++ b/server/resolvers/verification_requests.go
@@ -6,6 +6,7 @@ import (

 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )

@@ -18,7 +19,7 @@ func VerificationRequestsResolver(ctx context.Context) ([]*model.VerificationReq
 		return res, err
 	}

-	if !utils.IsSuperAdmin(gc) {
+	if !token.IsSuperAdmin(gc) {
 		return res, fmt.Errorf("unauthorized")
 	}

--- a/server/resolvers/verify_email.go
+++ b/server/resolvers/verify_email.go
@@ -6,10 +6,11 @@ import (
 	"strings"
 	"time"

-	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/graph/model"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )

@@ -27,7 +28,7 @@ func VerifyEmailResolver(ctx context.Context, params model.VerifyEmailInput) (*m
 	}

 	// verify if token exists in db
-	claim, err := utils.VerifyVerificationToken(params.Token)
+	claim, err := token.VerifyVerificationToken(params.Token)
 	if err != nil {
 		return res, fmt.Errorf(`invalid token`)
 	}
@@ -45,20 +46,20 @@ func VerifyEmailResolver(ctx context.Context, params model.VerifyEmailInput) (*m
 	db.Provider.DeleteVerificationRequest(verificationRequest)

 	roles := strings.Split(user.Roles, ",")
-	refreshToken, _, _ := utils.CreateAuthToken(user, constants.TokenTypeRefreshToken, roles)
-	accessToken, expiresAt, _ := utils.CreateAuthToken(user, constants.TokenTypeAccessToken, roles)
-
-	session.SetUserSession(user.ID, accessToken, refreshToken)
+	authToken, err := token.CreateAuthToken(user, roles)
+	if err != nil {
+		return res, err
+	}
+	sessionstore.SetUserSession(user.ID, authToken.FingerPrint, authToken.RefreshToken.Token)
+	cookie.SetCookie(gc, authToken.AccessToken.Token, authToken.RefreshToken.Token, authToken.FingerPrintHash)
 	utils.SaveSessionInDB(user.ID, gc)

 	res = &model.AuthResponse{
 		Message:     `Email verified successfully.`,
-		AccessToken: &accessToken,
-		ExpiresAt:   &expiresAt,
-		User:        utils.GetResponseUserData(user),
+		AccessToken: &authToken.AccessToken.Token,
+		ExpiresAt:   &authToken.AccessToken.ExpiresAt,
+		User:        user.AsAPIUser(),
 	}

-	utils.SetCookie(gc, accessToken)
-
 	return res, nil
 }
--- a/server/sessionstore/in_memory_session.go
+++ b/server/sessionstore/in_memory_session.go
@@ -1,4 +1,4 @@
-package session
+package sessionstore

 import (
 	"sync"
@@ -69,6 +69,19 @@ func (c *InMemoryStore) GetUserSession(userId, accessToken string) string {
 	return token
 }

+// GetUserSessions returns all the user session token from the in-memory store.
+func (c *InMemoryStore) GetUserSessions(userId string) map[string]string {
+	// c.mutex.Lock()
+	// defer c.mutex.Unlock()
+
+	sessionMap, ok := c.store[userId]
+	if !ok {
+		return nil
+	}
+
+	return sessionMap
+}
+
 // SetSocialLoginState sets the social login state in the in-memory store.
 func (c *InMemoryStore) SetSocialLoginState(key, state string) {
 	c.mutex.Lock()
--- a/server/sessionstore/redis_store.go
+++ b/server/sessionstore/redis_store.go
@@ -1,4 +1,4 @@
-package session
+package sessionstore

 import (
 	"context"
@@ -60,6 +60,16 @@ func (c *RedisStore) GetUserSession(userId, accessToken string) string {
 	return token
 }

+// GetUserSessions returns all the user session token from the redis store.
+func (c *RedisStore) GetUserSessions(userID string) map[string]string {
+	res, err := c.store.HGetAll(c.ctx, "authorizer_"+userID).Result()
+	if err != nil {
+		log.Println("error getting token from redis store:", err)
+	}
+
+	return res
+}
+
 // SetSocialLoginState sets the social login state in redis store.
 func (c *RedisStore) SetSocialLoginState(key, state string) {
 	err := c.store.Set(c.ctx, key, state, 0).Err()
--- a/server/sessionstore/session.go
+++ b/server/sessionstore/session.go
@@ -1,4 +1,4 @@
-package session
+package sessionstore

 import (
 	"context"
@@ -22,22 +22,22 @@ type SessionStore struct {
 var SessionStoreObj SessionStore

 // SetUserSession sets the user session in the session store
-func SetUserSession(userId, accessToken, refreshToken string) {
+func SetUserSession(userId, fingerprint, refreshToken string) {
 	if SessionStoreObj.RedisMemoryStoreObj != nil {
-		SessionStoreObj.RedisMemoryStoreObj.AddUserSession(userId, accessToken, refreshToken)
+		SessionStoreObj.RedisMemoryStoreObj.AddUserSession(userId, fingerprint, refreshToken)
 	}
 	if SessionStoreObj.InMemoryStoreObj != nil {
-		SessionStoreObj.InMemoryStoreObj.AddUserSession(userId, accessToken, refreshToken)
+		SessionStoreObj.InMemoryStoreObj.AddUserSession(userId, fingerprint, refreshToken)
 	}
 }

 // DeleteUserSession deletes the particular user session from the session store
-func DeleteUserSession(userId, accessToken string) {
+func DeleteUserSession(userId, fingerprint string) {
 	if SessionStoreObj.RedisMemoryStoreObj != nil {
-		SessionStoreObj.RedisMemoryStoreObj.DeleteUserSession(userId, accessToken)
+		SessionStoreObj.RedisMemoryStoreObj.DeleteUserSession(userId, fingerprint)
 	}
 	if SessionStoreObj.InMemoryStoreObj != nil {
-		SessionStoreObj.InMemoryStoreObj.DeleteUserSession(userId, accessToken)
+		SessionStoreObj.InMemoryStoreObj.DeleteUserSession(userId, fingerprint)
 	}
 }

@@ -52,17 +52,29 @@ func DeleteAllUserSession(userId string) {
 }

 // GetUserSession returns the user session from the session store
-func GetUserSession(userId, accessToken string) string {
+func GetUserSession(userId, fingerprint string) string {
 	if SessionStoreObj.RedisMemoryStoreObj != nil {
-		return SessionStoreObj.RedisMemoryStoreObj.GetUserSession(userId, accessToken)
+		return SessionStoreObj.RedisMemoryStoreObj.GetUserSession(userId, fingerprint)
 	}
 	if SessionStoreObj.InMemoryStoreObj != nil {
-		return SessionStoreObj.InMemoryStoreObj.GetUserSession(userId, accessToken)
+		return SessionStoreObj.InMemoryStoreObj.GetUserSession(userId, fingerprint)
 	}

 	return ""
 }

+// GetUserSessions returns all the user sessions from the session store
+func GetUserSessions(userId string) map[string]string {
+	if SessionStoreObj.RedisMemoryStoreObj != nil {
+		return SessionStoreObj.RedisMemoryStoreObj.GetUserSessions(userId)
+	}
+	if SessionStoreObj.InMemoryStoreObj != nil {
+		return SessionStoreObj.InMemoryStoreObj.GetUserSessions(userId)
+	}
+
+	return nil
+}
+
 // ClearStore clears the session store for authorizer tokens
 func ClearStore() {
 	if SessionStoreObj.RedisMemoryStoreObj != nil {
--- a/server/test/is_valid_jwt_test.go
+++ b/server/test/is_valid_jwt_test.go
@@ -0,0 +1,38 @@
+package test
+
+import (
+	"testing"
+
+	"github.com/authorizerdev/authorizer/server/db/models"
+	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/resolvers"
+	"github.com/authorizerdev/authorizer/server/token"
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+)
+
+func isValidJWTTests(t *testing.T, s TestSetup) {
+	t.Helper()
+	_, ctx := createContext(s)
+	expiredToken := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhbGxvd2VkX3JvbGVzIjpbIiJdLCJiaXJ0aGRhdGUiOm51bGwsImNyZWF0ZWRfYXQiOjAsImVtYWlsIjoiam9obi5kb2VAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJleHAiOjE2NDI5NjEwMTEsImV4dHJhIjp7IngtZXh0cmEtaWQiOiJkMmNhMjQwNy05MzZmLTQwYzQtOTQ2NS05Y2M5MWYxZTJhNDQifSwiZmFtaWx5X25hbWUiOm51bGwsImdlbmRlciI6bnVsbCwiZ2l2ZW5fbmFtZSI6bnVsbCwiaWF0IjoxNjQyOTYwOTgxLCJpZCI6ImQyY2EyNDA3LTkzNmYtNDBjNC05NDY1LTljYzkxZjFlMmE0NCIsIm1pZGRsZV9uYW1lIjpudWxsLCJuaWNrbmFtZSI6bnVsbCwicGhvbmVfbnVtYmVyIjpudWxsLCJwaG9uZV9udW1iZXJfdmVyaWZpZWQiOmZhbHNlLCJwaWN0dXJlIjpudWxsLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJqb2huLmRvZUBnbWFpbC5jb20iLCJyb2xlIjpbXSwic2lnbnVwX21ldGhvZHMiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwidXBkYXRlZF9hdCI6MH0.FrdyeOC5e8uU1SowGj0omFJuwRnh4BrEk89S_fbEkzs"
+
+	t.Run(`should fail for invalid jwt`, func(t *testing.T) {
+		_, err := resolvers.IsValidJwtResolver(ctx, &model.IsValidJWTQueryInput{
+			Jwt: &expiredToken,
+		})
+		assert.NotNil(t, err)
+	})
+
+	t.Run(`should pass with valid jwt`, func(t *testing.T) {
+		authToken, err := token.CreateAuthToken(models.User{
+			ID:    uuid.New().String(),
+			Email: "john.doe@gmail.com",
+		}, []string{})
+		assert.Nil(t, err)
+		res, err := resolvers.IsValidJwtResolver(ctx, &model.IsValidJWTQueryInput{
+			Jwt: &authToken.AccessToken.Token,
+		})
+		assert.Nil(t, err)
+		assert.True(t, res.Valid)
+	})
+}
--- a/server/test/logout_test.go
+++ b/server/test/logout_test.go
@@ -2,6 +2,7 @@ package test

 import (
 	"fmt"
+	"net/url"
 	"testing"

 	"github.com/authorizerdev/authorizer/server/constants"
@@ -9,6 +10,8 @@ import (
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/resolvers"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/stretchr/testify/assert"
 )

@@ -27,12 +30,22 @@ func logoutTests(t *testing.T, s TestSetup) {
 			Token: verificationRequest.Token,
 		})

+		sessions := sessionstore.GetUserSessions(verifyRes.User.ID)
+		fingerPrint := ""
+		refreshToken := ""
+		for key, val := range sessions {
+			fingerPrint = key
+			refreshToken = val
+		}
+
+		fingerPrintHash, _ := utils.EncryptAES([]byte(fingerPrint))
+
 		token := *verifyRes.AccessToken
-		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName), token))
+		cookie := fmt.Sprintf("%s=%s;%s=%s;%s=%s", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".fingerprint", url.QueryEscape(string(fingerPrintHash)), envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".refresh_token", refreshToken, envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token", token)
+
+		req.Header.Set("Cookie", cookie)
 		_, err = resolvers.LogoutResolver(ctx)
 		assert.Nil(t, err)
-		_, err = resolvers.ProfileResolver(ctx)
-		assert.NotNil(t, err, "unauthorized")
 		cleanData(email)
 	})
 }
--- a/server/test/magic_link_login_test.go
+++ b/server/test/magic_link_login_test.go
@@ -29,7 +29,7 @@ func magicLinkLoginTests(t *testing.T, s TestSetup) {
 		})

 		token := *verifyRes.AccessToken
-		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName), token))
+		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token", token))
 		_, err = resolvers.ProfileResolver(ctx)
 		assert.Nil(t, err)

--- a/server/test/profile_test.go
+++ b/server/test/profile_test.go
@@ -33,7 +33,7 @@ func profileTests(t *testing.T, s TestSetup) {
 		})

 		token := *verifyRes.AccessToken
-		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName), token))
+		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token", token))
 		profileRes, err := resolvers.ProfileResolver(ctx)
 		assert.Nil(t, err)

--- a/server/test/resolvers_test.go
+++ b/server/test/resolvers_test.go
@@ -11,9 +11,9 @@ import (

 func TestResolvers(t *testing.T) {
 	databases := map[string]string{
-		constants.DbTypeSqlite:   "../../data.db",
-		constants.DbTypeArangodb: "http://localhost:8529",
-		constants.DbTypeMongodb:  "mongodb://localhost:27017",
+		constants.DbTypeSqlite: "../../data.db",
+		// constants.DbTypeArangodb: "http://localhost:8529",
+		// constants.DbTypeMongodb:  "mongodb://localhost:27017",
 	}
 	envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyVersion, "test")
 	for dbType, dbURL := range databases {
@@ -60,6 +60,7 @@ func TestResolvers(t *testing.T) {
 			magicLinkLoginTests(t, s)
 			logoutTests(t, s)
 			metaTests(t, s)
+			isValidJWTTests(t, s)
 		})
 	}
 }
--- a/server/test/session_test.go
+++ b/server/test/session_test.go
@@ -2,6 +2,7 @@ package test

 import (
 	"fmt"
+	"net/url"
 	"testing"

 	"github.com/authorizerdev/authorizer/server/constants"
@@ -9,6 +10,8 @@ import (
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/resolvers"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/stretchr/testify/assert"
 )

@@ -24,7 +27,7 @@ func sessionTests(t *testing.T, s TestSetup) {
 			ConfirmPassword: s.TestInfo.Password,
 		})

-		_, err := resolvers.SessionResolver(ctx, []string{})
+		_, err := resolvers.SessionResolver(ctx, &model.SessionQueryInput{})
 		assert.NotNil(t, err, "unauthorized")

 		verificationRequest, err := db.Provider.GetVerificationRequestByEmail(email, constants.VerificationTypeBasicAuthSignup)
@@ -32,15 +35,24 @@ func sessionTests(t *testing.T, s TestSetup) {
 			Token: verificationRequest.Token,
 		})

+		sessions := sessionstore.GetUserSessions(verifyRes.User.ID)
+		fingerPrint := ""
+		refreshToken := ""
+		for key, val := range sessions {
+			fingerPrint = key
+			refreshToken = val
+		}
+
+		fingerPrintHash, _ := utils.EncryptAES([]byte(fingerPrint))
+
 		token := *verifyRes.AccessToken
-		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName), token))
+		cookie := fmt.Sprintf("%s=%s;%s=%s;%s=%s", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".fingerprint", url.QueryEscape(string(fingerPrintHash)), envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".refresh_token", refreshToken, envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token", token)

-		sessionRes, err := resolvers.SessionResolver(ctx, []string{})
+		req.Header.Set("Cookie", cookie)
+
+		_, err = resolvers.SessionResolver(ctx, &model.SessionQueryInput{})
 		assert.Nil(t, err)

-		newToken := *sessionRes.AccessToken
-		assert.Equal(t, token, newToken, "tokens should be equal")
-
 		cleanData(email)
 	})
 }
--- a/server/test/test.go
+++ b/server/test/test.go
@@ -13,7 +13,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/handlers"
 	"github.com/authorizerdev/authorizer/server/middlewares"
-	"github.com/authorizerdev/authorizer/server/session"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
 	"github.com/gin-contrib/location"
 	"github.com/gin-gonic/gin"
 )
@@ -75,7 +75,7 @@ func testSetup() TestSetup {
 	envstore.EnvInMemoryStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyEnvPath, "../../.env.sample")

 	env.InitEnv()
-	session.InitSession()
+	sessionstore.InitSession()

 	w := httptest.NewRecorder()
 	c, r := gin.CreateTestContext(w)
--- a/server/test/update_profile_test.go
+++ b/server/test/update_profile_test.go
@@ -36,7 +36,7 @@ func updateProfileTests(t *testing.T, s TestSetup) {
 		})

 		token := *verifyRes.AccessToken
-		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName), token))
+		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+".access_token", token))
 		_, err = resolvers.UpdateProfileResolver(ctx, model.UpdateProfileInput{
 			FamilyName: &fName,
 		})
--- a/server/token/admin_token.go
+++ b/server/token/admin_token.go
@@ -0,0 +1,49 @@
+package token
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
+	"github.com/authorizerdev/authorizer/server/envstore"
+	"github.com/authorizerdev/authorizer/server/utils"
+	"github.com/gin-gonic/gin"
+	"golang.org/x/crypto/bcrypt"
+)
+
+// CreateAdminAuthToken creates the admin token based on secret key
+func CreateAdminAuthToken(tokenType string, c *gin.Context) (string, error) {
+	return utils.EncryptPassword(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
+}
+
+// GetAdminAuthToken helps in getting the admin token from the request cookie
+func GetAdminAuthToken(gc *gin.Context) (string, error) {
+	token, err := cookie.GetAdminCookie(gc)
+	if err != nil || token == "" {
+		return "", fmt.Errorf("unauthorized")
+	}
+
+	err = bcrypt.CompareHashAndPassword([]byte(token), []byte(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret)))
+	log.Println("error comparing hash:", err)
+	if err != nil {
+		return "", fmt.Errorf(`unauthorized`)
+	}
+
+	return token, nil
+}
+
+// IsSuperAdmin checks if user is super admin
+func IsSuperAdmin(gc *gin.Context) bool {
+	token, err := GetAdminAuthToken(gc)
+	if err != nil {
+		secret := gc.Request.Header.Get("x-authorizer-admin-secret")
+		if secret == "" {
+			return false
+		}
+
+		return secret == envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret)
+	}
+
+	return token != ""
+}
--- a/server/token/auth_token.go
+++ b/server/token/auth_token.go
@@ -0,0 +1,238 @@
+package token
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"log"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
+	"github.com/authorizerdev/authorizer/server/db/models"
+	"github.com/authorizerdev/authorizer/server/envstore"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/utils"
+	"github.com/gin-gonic/gin"
+	"github.com/golang-jwt/jwt"
+	"github.com/google/uuid"
+	"github.com/robertkrimen/otto"
+)
+
+// JWTToken is a struct to hold JWT token and its expiration time
+type JWTToken struct {
+	Token     string `json:"token"`
+	ExpiresAt int64  `json:"expires_at"`
+}
+
+// Token object to hold the finger print and refresh token information
+type Token struct {
+	FingerPrint     string    `json:"fingerprint"`
+	FingerPrintHash string    `json:"fingerprint_hash"`
+	RefreshToken    *JWTToken `json:"refresh_token"`
+	AccessToken     *JWTToken `json:"access_token"`
+}
+
+// CreateAuthToken creates a new auth token when userlogs in
+func CreateAuthToken(user models.User, roles []string) (*Token, error) {
+	fingerprint := uuid.NewString()
+	fingerPrintHashBytes, err := utils.EncryptAES([]byte(fingerprint))
+	if err != nil {
+		return nil, err
+	}
+	refreshToken, refreshTokenExpiresAt, err := CreateRefreshToken(user, roles)
+	if err != nil {
+		return nil, err
+	}
+
+	accessToken, accessTokenExpiresAt, err := CreateAccessToken(user, roles)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Token{
+		FingerPrint:     fingerprint,
+		FingerPrintHash: string(fingerPrintHashBytes),
+		RefreshToken:    &JWTToken{Token: refreshToken, ExpiresAt: refreshTokenExpiresAt},
+		AccessToken:     &JWTToken{Token: accessToken, ExpiresAt: accessTokenExpiresAt},
+	}, nil
+}
+
+// CreateRefreshToken util to create JWT token
+func CreateRefreshToken(user models.User, roles []string) (string, int64, error) {
+	t := jwt.New(jwt.GetSigningMethod(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtType)))
+	// expires in 1 year
+	expiryBound := time.Hour * 8760
+	expiresAt := time.Now().Add(expiryBound).Unix()
+
+	customClaims := jwt.MapClaims{
+		"exp":        expiresAt,
+		"iat":        time.Now().Unix(),
+		"token_type": constants.TokenTypeRefreshToken,
+		"roles":      roles,
+		"id":         user.ID,
+	}
+
+	t.Claims = customClaims
+	token, err := t.SignedString([]byte(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtSecret)))
+	if err != nil {
+		return "", 0, err
+	}
+	return token, expiresAt, nil
+}
+
+// CreateAccessToken util to create JWT token, based on
+// user information, roles config and CUSTOM_ACCESS_TOKEN_SCRIPT
+func CreateAccessToken(user models.User, roles []string) (string, int64, error) {
+	t := jwt.New(jwt.GetSigningMethod(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtType)))
+	expiryBound := time.Minute * 30
+
+	expiresAt := time.Now().Add(expiryBound).Unix()
+
+	resUser := user.AsAPIUser()
+	userBytes, _ := json.Marshal(&resUser)
+	var userMap map[string]interface{}
+	json.Unmarshal(userBytes, &userMap)
+
+	claimKey := envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtRoleClaim)
+	customClaims := jwt.MapClaims{
+		"exp":           expiresAt,
+		"iat":           time.Now().Unix(),
+		"token_type":    constants.TokenTypeAccessToken,
+		"allowed_roles": strings.Split(user.Roles, ","),
+		claimKey:        roles,
+	}
+
+	for k, v := range userMap {
+		if k != "roles" {
+			customClaims[k] = v
+		}
+	}
+
+	// check for the extra access token script
+	accessTokenScript := os.Getenv(constants.EnvKeyCustomAccessTokenScript)
+	if accessTokenScript != "" {
+		vm := otto.New()
+
+		claimBytes, _ := json.Marshal(customClaims)
+		vm.Run(fmt.Sprintf(`
+			var user = %s;
+			var tokenPayload = %s;
+			var customFunction = %s;
+			var functionRes = JSON.stringify(customFunction(user, tokenPayload));
+		`, string(userBytes), string(claimBytes), accessTokenScript))
+
+		val, err := vm.Get("functionRes")
+
+		if err != nil {
+			log.Println("error getting custom access token script:", err)
+		} else {
+			extraPayload := make(map[string]interface{})
+			err = json.Unmarshal([]byte(fmt.Sprintf("%s", val)), &extraPayload)
+			if err != nil {
+				log.Println("error converting accessTokenScript response to map:", err)
+			} else {
+				for k, v := range extraPayload {
+					customClaims[k] = v
+				}
+			}
+		}
+	}
+
+	t.Claims = customClaims
+
+	token, err := t.SignedString([]byte(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtSecret)))
+	if err != nil {
+		return "", 0, err
+	}
+
+	return token, expiresAt, nil
+}
+
+// GetAccessToken returns the access token from the request (either from header or cookie)
+func GetAccessToken(gc *gin.Context) (string, error) {
+	token, err := cookie.GetAccessTokenCookie(gc)
+	if err != nil || token == "" {
+		// try to check in auth header for cookie
+		auth := gc.Request.Header.Get("Authorization")
+		if auth == "" {
+			return "", fmt.Errorf(`unauthorized`)
+		}
+
+		token = strings.TrimPrefix(auth, "Bearer ")
+
+	}
+	return token, nil
+}
+
+// GetRefreshToken returns the refresh token from cookie / request query url
+func GetRefreshToken(gc *gin.Context) (string, error) {
+	token, err := cookie.GetRefreshTokenCookie(gc)
+
+	if err != nil || token == "" {
+		return "", fmt.Errorf(`unauthorized`)
+	}
+
+	return token, nil
+}
+
+// GetFingerPrint returns the finger print from cookie
+func GetFingerPrint(gc *gin.Context) (string, error) {
+	fingerPrint, err := cookie.GetFingerPrintCookie(gc)
+	if err != nil || fingerPrint == "" {
+		return "", fmt.Errorf(`no finger print`)
+	}
+	return fingerPrint, nil
+}
+
+// VerifyJWTToken helps in verifying the JWT token
+func VerifyJWTToken(token string) (map[string]interface{}, error) {
+	var res map[string]interface{}
+	claims := jwt.MapClaims{}
+
+	t, err := jwt.ParseWithClaims(token, claims, func(token *jwt.Token) (interface{}, error) {
+		return []byte(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtSecret)), nil
+	})
+	if err != nil {
+		return res, err
+	}
+
+	if !t.Valid {
+		return res, fmt.Errorf(`invalid token`)
+	}
+
+	// claim parses exp & iat into float 64 with e^10,
+	// but we expect it to be int64
+	// hence we need to assert interface and convert to int64
+	intExp := int64(claims["exp"].(float64))
+	intIat := int64(claims["iat"].(float64))
+
+	data, _ := json.Marshal(claims)
+	json.Unmarshal(data, &res)
+	res["exp"] = intExp
+	res["iat"] = intIat
+
+	return res, nil
+}
+
+func ValidateAccessToken(gc *gin.Context) (map[string]interface{}, error) {
+	token, err := GetAccessToken(gc)
+	if err != nil {
+		return nil, err
+	}
+
+	claims, err := VerifyJWTToken(token)
+	if err != nil {
+		return nil, err
+	}
+
+	// also validate if there is user session present with access token
+	sessions := sessionstore.GetUserSessions(claims["id"].(string))
+	if len(sessions) == 0 {
+		return nil, errors.New("unauthorized")
+	}
+
+	return claims, nil
+}
--- a/server/token/verification_token.go
+++ b/server/token/verification_token.go
@@ -1,4 +1,4 @@
-package utils
+package token

 import (
 	"time"
@@ -8,10 +8,8 @@ import (
 	"github.com/golang-jwt/jwt"
 )

-// TODO see if we can move this to different service
-
-// UserInfo is the user info that is stored in the JWT of verification request
-type UserInfo struct {
+// VerificationRequestToken is the user info that is stored in the JWT of verification request
+type VerificationRequestToken struct {
 	Email       string `json:"email"`
 	Host        string `json:"host"`
 	RedirectURL string `json:"redirect_url"`
@@ -21,7 +19,7 @@ type UserInfo struct {
 type CustomClaim struct {
 	*jwt.StandardClaims
 	TokenType string `json:"token_type"`
-	UserInfo
+	VerificationRequestToken
 }

 // CreateVerificationToken creates a verification JWT token
@@ -33,7 +31,7 @@ func CreateVerificationToken(email string, tokenType string) (string, error) {
 			ExpiresAt: time.Now().Add(time.Minute * 30).Unix(),
 		},
 		tokenType,
-		UserInfo{Email: email, Host: envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL), RedirectURL: envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAppURL)},
+		VerificationRequestToken{Email: email, Host: envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL), RedirectURL: envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAppURL)},
 	}

 	return t.SignedString([]byte(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtSecret)))
--- a/server/utils/auth_token.go
+++ b/server/utils/auth_token.go
@@ -1,161 +0,0 @@
-package utils
-
-import (
-	"encoding/json"
-	"fmt"
-	"log"
-	"net/url"
-	"os"
-	"strings"
-	"time"
-
-	"github.com/authorizerdev/authorizer/server/constants"
-	"github.com/authorizerdev/authorizer/server/db/models"
-	"github.com/authorizerdev/authorizer/server/envstore"
-	"github.com/gin-gonic/gin"
-	"github.com/golang-jwt/jwt"
-	"github.com/robertkrimen/otto"
-	"golang.org/x/crypto/bcrypt"
-)
-
-// CreateAuthToken util to create JWT token, based on
-// user information, roles config and CUSTOM_ACCESS_TOKEN_SCRIPT
-func CreateAuthToken(user models.User, tokenType string, roles []string) (string, int64, error) {
-	t := jwt.New(jwt.GetSigningMethod(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtType)))
-	expiryBound := time.Hour
-	if tokenType == constants.TokenTypeRefreshToken {
-		// expires in 1 year
-		expiryBound = time.Hour * 8760
-	}
-
-	expiresAt := time.Now().Add(expiryBound).Unix()
-
-	resUser := GetResponseUserData(user)
-	userBytes, _ := json.Marshal(&resUser)
-	var userMap map[string]interface{}
-	json.Unmarshal(userBytes, &userMap)
-
-	claimKey := envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtRoleClaim)
-	customClaims := jwt.MapClaims{
-		"exp":           expiresAt,
-		"iat":           time.Now().Unix(),
-		"token_type":    tokenType,
-		"allowed_roles": strings.Split(user.Roles, ","),
-		claimKey:        roles,
-	}
-
-	for k, v := range userMap {
-		if k != "roles" {
-			customClaims[k] = v
-		}
-	}
-
-	// check for the extra access token script
-	accessTokenScript := os.Getenv(constants.EnvKeyCustomAccessTokenScript)
-	if accessTokenScript != "" {
-		vm := otto.New()
-
-		claimBytes, _ := json.Marshal(customClaims)
-		vm.Run(fmt.Sprintf(`
-			var user = %s;
-			var tokenPayload = %s;
-			var customFunction = %s;
-			var functionRes = JSON.stringify(customFunction(user, tokenPayload));
-		`, string(userBytes), string(claimBytes), accessTokenScript))
-
-		val, err := vm.Get("functionRes")
-
-		if err != nil {
-			log.Println("error getting custom access token script:", err)
-		} else {
-			extraPayload := make(map[string]interface{})
-			err = json.Unmarshal([]byte(fmt.Sprintf("%s", val)), &extraPayload)
-			if err != nil {
-				log.Println("error converting accessTokenScript response to map:", err)
-			} else {
-				for k, v := range extraPayload {
-					customClaims[k] = v
-				}
-			}
-		}
-	}
-
-	t.Claims = customClaims
-
-	token, err := t.SignedString([]byte(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtSecret)))
-	if err != nil {
-		return "", 0, err
-	}
-
-	return token, expiresAt, nil
-}
-
-// GetAuthToken helps in getting the JWT token from the
-// request cookie or authorization header
-func GetAuthToken(gc *gin.Context) (string, error) {
-	token, err := GetCookie(gc)
-	if err != nil || token == "" {
-		// try to check in auth header for cookie
-		auth := gc.Request.Header.Get("Authorization")
-		if auth == "" {
-			return "", fmt.Errorf(`unauthorized`)
-		}
-
-		token = strings.TrimPrefix(auth, "Bearer ")
-	}
-	return token, nil
-}
-
-// VerifyAuthToken helps in verifying the JWT token
-func VerifyAuthToken(token string) (map[string]interface{}, error) {
-	var res map[string]interface{}
-	claims := jwt.MapClaims{}
-
-	_, err := jwt.ParseWithClaims(token, claims, func(token *jwt.Token) (interface{}, error) {
-		return []byte(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyJwtSecret)), nil
-	})
-	if err != nil {
-		return res, err
-	}
-
-	// claim parses exp & iat into float 64 with e^10,
-	// but we expect it to be int64
-	// hence we need to assert interface and convert to int64
-	intExp := int64(claims["exp"].(float64))
-	intIat := int64(claims["iat"].(float64))
-
-	data, _ := json.Marshal(claims)
-	json.Unmarshal(data, &res)
-	res["exp"] = intExp
-	res["iat"] = intIat
-
-	return res, nil
-}
-
-// CreateAdminAuthToken creates the admin token based on secret key
-func CreateAdminAuthToken(tokenType string, c *gin.Context) (string, error) {
-	return EncryptPassword(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret))
-}
-
-// GetAdminAuthToken helps in getting the admin token from the request cookie
-func GetAdminAuthToken(gc *gin.Context) (string, error) {
-	token, err := GetAdminCookie(gc)
-	if err != nil || token == "" {
-		return "", fmt.Errorf("unauthorized")
-	}
-
-	// cookie escapes special characters like $
-	// hence we need to unescape before comparing
-	decodedValue, err := url.QueryUnescape(token)
-	if err != nil {
-		return "", err
-	}
-
-	err = bcrypt.CompareHashAndPassword([]byte(decodedValue), []byte(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret)))
-	log.Println("error comparing hash:", err)
-	if err != nil {
-		return "", fmt.Errorf(`unauthorized`)
-	}
-
-	return token, nil
-}
--- a/server/utils/cookie.go
+++ b/server/utils/cookie.go
@@ -1,81 +0,0 @@
-package utils
-
-import (
-	"net/http"
-
-	"github.com/authorizerdev/authorizer/server/constants"
-	"github.com/authorizerdev/authorizer/server/envstore"
-	"github.com/gin-gonic/gin"
-)
-
-// SetCookie sets the cookie in the response. It sets 2 cookies
-// 1 COOKIE_NAME for the host (abc.com)
-// 2 COOKIE_NAME-client for the domain (sub.abc.com).
-// Note all sites don't allow 2nd type of cookie
-func SetCookie(gc *gin.Context, token string) {
-	secure := true
-	httpOnly := true
-	host, _ := GetHostParts(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL))
-	domain := GetDomainName(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL))
-	if domain != "localhost" {
-		domain = "." + domain
-	}
-
-	gc.SetSameSite(http.SameSiteNoneMode)
-	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName), token, 3600, "/", host, secure, httpOnly)
-	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+"-client", token, 3600, "/", domain, secure, httpOnly)
-}
-
-// GetCookie gets the cookie from the request
-func GetCookie(gc *gin.Context) (string, error) {
-	cookie, err := gc.Request.Cookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName))
-	if err != nil {
-		cookie, err = gc.Request.Cookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName) + "-client")
-		if err != nil {
-			return "", err
-		}
-	}
-
-	return cookie.Value, nil
-}
-
-// DeleteCookie sets the cookie value as empty to make it expired
-func DeleteCookie(gc *gin.Context) {
-	secure := true
-	httpOnly := true
-
-	host, _ := GetHostParts(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL))
-	domain := GetDomainName(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL))
-	if domain != "localhost" {
-		domain = "." + domain
-	}
-
-	gc.SetSameSite(http.SameSiteNoneMode)
-	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName), "", -1, "/", host, secure, httpOnly)
-	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCookieName)+"-client", "", -1, "/", domain, secure, httpOnly)
-}
-
-// SetAdminCookie sets the admin cookie in the response
-func SetAdminCookie(gc *gin.Context, token string) {
-	secure := true
-	httpOnly := true
-	host, _ := GetHostParts(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL))
-
-	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), token, 3600, "/", host, secure, httpOnly)
-}
-
-func GetAdminCookie(gc *gin.Context) (string, error) {
-	cookie, err := gc.Request.Cookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName))
-	if err != nil {
-		return "", err
-	}
-	return cookie.Value, nil
-}
-
-func DeleteAdminCookie(gc *gin.Context) {
-	secure := true
-	httpOnly := true
-	host, _ := GetHostParts(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL))
-
-	gc.SetCookie(envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminCookieName), "", -1, "/", host, secure, httpOnly)
-}
--- a/server/utils/encrypt_config.go
+++ b/server/utils/encrypt_config.go
@@ -1,32 +0,0 @@
-package utils
-
-import (
-	"encoding/json"
-
-	"github.com/authorizerdev/authorizer/server/envstore"
-)
-
-func EncryptConfig(data map[string]interface{}) ([]byte, error) {
-	jsonBytes, err := json.Marshal(data)
-	if err != nil {
-		return []byte{}, err
-	}
-
-	envData := envstore.EnvInMemoryStoreObj.GetEnvStoreClone()
-
-	err = json.Unmarshal(jsonBytes, &envData)
-	if err != nil {
-		return []byte{}, err
-	}
-
-	configData, err := json.Marshal(envData)
-	if err != nil {
-		return []byte{}, err
-	}
-	encryptedConfig, err := EncryptAES(configData)
-	if err != nil {
-		return []byte{}, err
-	}
-
-	return encryptedConfig, nil
-}
--- a/server/utils/get_response_user_data.go
+++ b/server/utils/get_response_user_data.go
@@ -1,35 +0,0 @@
-package utils
-
-import (
-	"strings"
-
-	"github.com/authorizerdev/authorizer/server/db/models"
-	"github.com/authorizerdev/authorizer/server/graph/model"
-)
-
-// TODO move this to provider
-// rename it to AsAPIUser
-
-func GetResponseUserData(user models.User) *model.User {
-	isEmailVerified := user.EmailVerifiedAt != nil
-	isPhoneVerified := user.PhoneNumberVerifiedAt != nil
-	return &model.User{
-		ID:                  user.ID,
-		Email:               user.Email,
-		EmailVerified:       isEmailVerified,
-		SignupMethods:       user.SignupMethods,
-		GivenName:           user.GivenName,
-		FamilyName:          user.FamilyName,
-		MiddleName:          user.MiddleName,
-		Nickname:            user.Nickname,
-		PreferredUsername:   &user.Email,
-		Gender:              user.Gender,
-		Birthdate:           user.Birthdate,
-		PhoneNumber:         user.PhoneNumber,
-		PhoneNumberVerified: &isPhoneVerified,
-		Picture:             user.Picture,
-		Roles:               strings.Split(user.Roles, ","),
-		CreatedAt:           &user.CreatedAt,
-		UpdatedAt:           &user.UpdatedAt,
-	}
-}
--- a/server/utils/urls.go
+++ b/server/utils/urls.go
@@ -8,7 +8,7 @@ import (
 // GetHostName function returns hostname and port
 func GetHostParts(uri string) (string, string) {
 	tempURI := uri
-	if !strings.HasPrefix(tempURI, "http") && strings.HasPrefix(tempURI, "https") {
+	if !strings.HasPrefix(tempURI, "http://") && !strings.HasPrefix(tempURI, "https://") {
 		tempURI = "https://" + tempURI
 	}

@@ -26,7 +26,7 @@ func GetHostParts(uri string) (string, string) {
 // GetDomainName function to get domain name
 func GetDomainName(uri string) string {
 	tempURI := uri
-	if !strings.HasPrefix(tempURI, "http") && strings.HasPrefix(tempURI, "https") {
+	if !strings.HasPrefix(tempURI, "http://") && !strings.HasPrefix(tempURI, "https://") {
 		tempURI = "https://" + tempURI
 	}

--- a/server/utils/validator.go
+++ b/server/utils/validator.go
@@ -7,7 +7,6 @@ import (

 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/envstore"
-	"github.com/gin-gonic/gin"
 )

 // IsValidEmail validates email
@@ -52,21 +51,6 @@ func IsValidOrigin(url string) bool {
 	return hasValidURL
 }

-// IsSuperAdmin checks if user is super admin
-func IsSuperAdmin(gc *gin.Context) bool {
-	token, err := GetAdminAuthToken(gc)
-	if err != nil {
-		secret := gc.Request.Header.Get("x-authorizer-admin-secret")
-		if secret == "" {
-			return false
-		}
-
-		return secret == envstore.EnvInMemoryStoreObj.GetStringStoreEnvVariable(constants.EnvKeyAdminSecret)
-	}
-
-	return token != ""
-}
-
 // IsValidRoles validates roles
 func IsValidRoles(userRoles []string, roles []string) bool {
 	valid := true
Author	SHA1	Message	Date
Lakhan Samani	e170569959	Add fauna db provider	2022-01-24 18:53:53 +05:30
Lakhan Samani	b42cc1549a	fix: env to return custom access token script	2022-01-24 10:22:55 +05:30
Lakhan Samani	4bc9059b0f	fix: allow using cookie and header in case of validating jwt	2022-01-24 09:56:12 +05:30
Lakhan Samani	87b1cac979	feat(server): add is_valid_jwt query	2022-01-24 00:32:06 +05:30
Lakhan Samani	7f18a3f634	Implement refresh token logic with fingerprint + rotation	2022-01-23 01:24:41 +05:30
Lakhan Samani	0511e737ae	fix(server): add update roles env validation	2022-01-22 11:29:03 +05:30
Lakhan Samani	003d88fb6c	Merge pull request #106 from authorizerdev/fix/organize_dbs fix: organize dbs	2022-01-21 13:37:37 +05:30