Stateless authentication with JWT: refresh token is not stateless

One of the main criticisms of stateless session tokens is the lack of a secure logout. Having a separate access/refresh token allows a compromise. You can greatly reduce the amount of database access, while having a secure logout function with a 15-minute delay.

The design doesn't do anything to protect against session hijacking, i.e. malicious capture of the token. Just use SSL, it is ubiquitous these days.

You can reduce the amount of round trips with some care. Many client HTTP libraries allow you to perform proactive authentication, which avoids the extra round-trip to get a 401.

I agree that it's not a particularly sensible design. Most web site are database heavy anyway, so checking a token on each request isn't much more overhead. And while the basic concept of access/refresh tokens is secure, I worry that the extra complexity invites implementation flaws.