Refresh Tokens and Expiry
Implement secure token renewal.
The Expiry Problem
Short-lived access tokens are secure but inconvenient: forcing users to log in every 15 minutes is bad UX.
The solution is a refresh token - a separate, longer-lived credential used to obtain new access tokens without re-entering a password.
// access token: 15 minutes
// refresh token: 7-30 daysWhat a Refresh Token Is
A refresh token is typically an opaque random string (not a JWT). Because it is long-lived, it must be stored server-side so it can be revoked.
Generate it with a cryptographically secure RNG.
public static string GenerateRefreshToken()
{
var bytes = new byte[64];
using var rng = RandomNumberGenerator.Create();
rng.GetBytes(bytes);
return Convert.ToBase64String(bytes);
}All lessons in this course
- JWT Structure and Claims
- Configuring JWT Bearer Authentication
- Issuing Tokens
- Refresh Tokens and Expiry