Based on the provided knowledge sources, I can provide some information about session management and refresh tokens in Ory Kratos, but there are a few important points to clarify: 1. Ory Kratos does not natively use JWTs for sessions. As mentioned in the [Session Management Overview](https://www.ory.sh/docs/kratos/session-management/overview#json-web-token-jwt-support), sessions are not issued as JWTs by default. 2. Kratos uses its own session mechanism, which can be extended or refreshed, but this is different from JWT refresh tokens. 3. If you need to use JWTs with Kratos, there are a couple of options: - Use the recommended [Session to JWT](https://www.ory.sh/docs/identities/session-to-jwt-cors) feature. - Use Ory Oathkeeper as an API Gateway to convert Kratos sessions to JWTs. 4. For extending sessions in Kratos (not JWTs), you can use the

extendSession

API method, as mentioned in the [Kratos API Reference](https://www.ory.sh/docs/kratos/reference/api). If you specifically need to work with JWT refresh tokens, you might want to look into Ory Hydra, which is Ory's OAuth2 and OpenID Connect provider. Hydra supports refresh token rotation and security protections as described in the [OAuth2 Refresh Token Grant documentation](https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant#refresh-token-rotation-and-security-protections). To directly answer your question: You cannot extend a refresh token on Kratos JWT because Kratos doesn't natively use JWTs for sessions. If you need JWT functionality with refresh capabilities, you may need to explore using Ory Hydra or implement additional layers on top of Kratos.