by iammukeshm, 2020-05-27T16:49:41.505Z
To enhance the security of APIs that already use JWT Tokens, even more, we use something called Refresh Tokens.
What are they?
Refresh Tokens are random numbers/strings/combinations that are sent as a response along with the JSON Web Token back to the client, with which a user can request for valid JWT.
Issues it solves.
What if an attacker gets hold of your JWT Token? With this token, he could potentially access a secured API mimicking your usage, and compromise the entire service if he wants to. This is bad.
With JWT Token, it is advised that they must expire is less than a day (due to the above security concern). Usually, the standard is a few hours tops. So what happens when the token expires? The user get's logged out of the system and is prompted to log in again with his/her credentials. Now that is bad user experience in today's world.
I have written a detailed Article/ Guide on Refresh Tokens in ASP.NET Core APIs. Give it a look.