I’ve read that nonces are meant to be for one time use only, and after an ajax request, you should issue a new nonce so with the next ajax request, a new nonce would be sent to the server.
However, I just tested repeated ajax requests using the same nonce token, and for each request wp_verify_nonce returned true on the same token, meaning it could be reused dozens of times.
Is this intentional, or a bug?
Do I still need to issue new nonces with each ajax request, or can the same one continue to work for all future requests?
In WordPress, nonces are specific to the user, the action being performed, and the time. With regards to time, a nonce is valid for 24 hours, and changes every 12 hours. This is considered an acceptable trade-off, since using a real number-used-once would involve adding a tracking system and having storage of the used nonces.
Nonces are also hashed, and so the NONCE_SALT constant will be part of the resulting nonce as well. Changing the NONCE_SALT will invalidate all nonces immediately.
You should issue a new nonce every time. This is so that if the timing or methodology needs to be adjusted in the future, then your code will continue to handle it appropriately.