Tutorials ASP.NET Core Complete Tutorial (ShopNest)

JWT Authentication with Refresh Tokens — Complete Implementation

Learn JWT Authentication with Refresh Tokens — Complete Implementation in our free ASP.NET Core Complete Tutorial (ShopNest) series. Step-by-step explanations, examples, and interview tips on Toolliyo Academy.

On this page
JWT Authentication with Refresh Tokens — Complete Implementation — ShopNest
Article 32 of 75 · Module 4: Authentication & Security · ShopNest Mobile App Backend API
Target keyword: jwt refresh tokens asp.net core · Read time: ~35 min · .NET: 8 / 9 · Project: ShopNest Mobile App Backend API

Introduction

Short-lived access tokens limit exposure; refresh tokens let ShopNest mobile apps get new access tokens without re-login. This advanced lesson implements the full pattern with rotation, revocation, and Identity integration.

After this article you will

  • Issue access + refresh token pair on login
  • Store refresh tokens hashed in database
  • Rotate refresh tokens on each use
  • Revoke tokens on logout and security events
  • Avoid common JWT security mistakes

Prerequisites

Concept deep-dive

public class RefreshToken
{
    public int Id { get; set; }
    public string UserId { get; set; } = "";
    public string TokenHash { get; set; } = "";
    public DateTime ExpiresAt { get; set; }
    public DateTime? RevokedAt { get; set; }
    public string? ReplacedByTokenHash { get; set; }
    public bool IsActive => RevokedAt == null && DateTime.UtcNow < ExpiresAt;
}

// Login response
return Ok(new {
    accessToken = GenerateJwt(user, expires: TimeSpan.FromMinutes(15)),
    refreshToken = plainRefreshToken, // store hash only
    expiresIn = 900
});

// POST /api/auth/refresh
// Validate refresh token hash, revoke old, issue new pair (rotation)

Security: Access token 15 min; refresh 7–30 days; hash refresh tokens (SHA256); bind to device/client ID optional; HTTPS only; never store access token in localStorage if XSS risk — prefer httpOnly cookie for web.

Hands-on — ShopNest Mobile App Backend API

  1. RefreshToken entity + migration.
  2. AuthController: login, refresh, logout (revoke), revoke-all.
  3. Detect reuse of old refresh token — revoke entire family (breach signal).
  4. Mobile client: intercept 401, call refresh once, retry request.

Common errors & best practices

  • Long-lived JWT without refresh — stolen token valid for days.
  • Storing refresh token plaintext in DB — hash like passwords.
  • Refresh endpoint without rate limiting — brute force vector.
  • Same signing key for dev and prod — rotate keys per environment.

Interview questions

Q: Why refresh tokens?
A: Short access token limits damage; refresh allows UX without constant login.

Q: Token rotation?
A: Each refresh invalidates old token and issues new — detects theft if old reused.

Q: Where store refresh token on mobile?
A: Secure storage (Keychain/Keystore), not plain preferences.

Summary

  • Access + refresh pattern is industry standard for mobile APIs
  • Store hashed refresh tokens; rotate on each refresh
  • Revoke on logout and suspicious reuse
  • Integrates with Identity user store from Article 29

Previous: Authorization — Roles, Policies, Claims
Next: OAuth2 and External Login

FAQ

Possible with httpOnly + SameSite=Strict — common secure pattern.

JWT blacklist?

Hard with stateless JWT — short expiry + refresh rotation preferred over central blacklist.

Questions on this lesson 0

Sign in to ask a question or upvote helpful answers.

No questions yet — be the first to ask!

ASP.NET Core Complete Tutorial (ShopNest)
Course syllabus
Module 1: Foundations
Module 2: Entity Framework Core
Module 3: Dependency Injection & Middleware
Module 4: Authentication & Security
Module 5: Web API
Module 6: Advanced Architecture
Module 7: Testing
Module 8: Deployment & DevOps
Module 9: Real-World Projects
Module 10: Advanced Topics
Toolliyo Assistant
Ask about tutorials, ebooks, training, pricing, mentor services, and support. I use public site content only—not admin or internal tools.

care@toolliyo.com

Need callback? Share your details