Various services, such as the ResourceManager, need to communicate with Hopsworks with REST calls. Authentication and authorization is performed with the use of JWT. Renewal of JWTs for services can be problematic, mainly because currently the operation is one-shot. Once you make a renew call for a JWT it will create a new valid token and immediately invalidate the previous. If the new token, for whatever reason, does not reach the service which requested the renewal then it is locked out of Hopsworks.
The proposed solution is to provide a set of one-time JWTs used for a renewal operation. The old token will be invalidated only when the requested service acknowledge it has received the new one.
For more information consult JWT design document, section “Service tokens”.