Refresh tokens are essential for secure, long-lived sessions in .NET APIs, but they are surprisingly easy to get wrong. This post walks through building a simple auth server that issues short-lived JWT access tokens + opaque refresh tokens, then shows a practical client token refresh strategy: reactive refresh (automatic on 401 with DelegatingHandler). Includes full runnable code, common pitfalls, and an engaging style that reads like a magazine article. Built from first principles in .NET 10.
aaronpina|27 days ago