Right now, when the user is authenticated using their email/username and password, the client will receive a access token and a refresh token. The access token is used to access the (protected) API, while the refresh token is used to refresh the access token, since it is short-lived. On the client (web app) side, whenever a request receives a 401 error, the app will call the refresh access token endpoint using the refresh token to get a new access token, along with a new refresh token.

This is somewhat similar to OAuth2, but not quite, and I want to implement OpenID and OAuth2 into the API, since it is the open standard for authentication and authorization.