Consider: Using long-lasting JWTs and always validating the session

[xixixao]

This would obviate the need for refresh tokens.

[tristanz]

This would simplify server side rendering. The refresh token significantly complicates server side rendering + client auth code since refreshing can both happen on the backend for preloadQuery token and in the convex client to keep it alive.

[sshader]

Still considering this, but for now have implemented a 10s reuse window (similar to what supabase does) to guard against some of the races with SSR.