0Pricing
C# Academy · Lesson

Refresh Tokens and Expiry

Implement secure token renewal.

The Expiry Problem

Short-lived access tokens are secure but inconvenient: forcing users to log in every 15 minutes is bad UX.

The solution is a refresh token - a separate, longer-lived credential used to obtain new access tokens without re-entering a password.

// access token: 15 minutes
// refresh token: 7-30 days

What a Refresh Token Is

A refresh token is typically an opaque random string (not a JWT). Because it is long-lived, it must be stored server-side so it can be revoked.

Generate it with a cryptographically secure RNG.

public static string GenerateRefreshToken()
{
    var bytes = new byte[64];
    using var rng = RandomNumberGenerator.Create();
    rng.GetBytes(bytes);
    return Convert.ToBase64String(bytes);
}

All lessons in this course

  1. JWT Structure and Claims
  2. Configuring JWT Bearer Authentication
  3. Issuing Tokens
  4. Refresh Tokens and Expiry
← Back to C# Academy