JWT Refresh Token – Complete Implementation

Try Simple Jwt Refresh Token instantly – 100% client‑side, no data leaves your browser.

Refresh tokens allow clients to obtain new access tokens without re‑authenticating.

How refresh token flow works

User logs in → server returns access token (short‑lived) + refresh token (long‑lived).
Access token expires → client sends refresh token to /refresh endpoint.
Server validates refresh token, issues new access token.
Refresh token can be rotated (old one invalidated after use).

C# example

// Generate refresh token (GUID)
var refreshToken = Convert.ToBase64String(Guid.NewGuid().ToByteArray());

// Store in database (hashed) with user ID and expiration

// Endpoint to refresh
[HttpPost("refresh")]
public IActionResult Refresh(string refreshToken)
{
    var storedToken = _db.RefreshTokens.FirstOrDefault(rt => rt.Token == refreshToken);
    if (storedToken == null || storedToken.Expires < DateTime.UtcNow)
        return Unauthorized();

    var newAccessToken = GenerateJwtToken(storedToken.UserId);
    return Ok(new { accessToken = newAccessToken });
}

Frequently Asked Questions

Should refresh tokens be stored?

Yes – in an HTTP‑only cookie or secure database.

JWT Refresh Token – Complete Implementation

How refresh token flow works

C# example

Frequently Asked Questions

Should refresh tokens be stored?

Related Topics