JWT Refresh Token Rotation in .NET — Why Your Auth is Probably Broken

Most JWT implementations I see in .NET projects have the same problem: the refresh token never changes. Once issued, it sits in the database (or worse, in a cookie) forever until it expires. This is a security hole. Here's why, and how to fix it with refresh token rotation. The Problem Standard JWT flow: 1. User logs in → gets access token (15 min) + refresh token (7 days) 2. Access token expires 3. Client sends refresh token → gets new access token 4. Same refresh token is reused for 7 days What happens if someone steals the refresh token on day 1? They have 7 full days of access to the account. The real user has no idea. The Fix: Token Rotation With rotation, every time a refresh token is used, it's revoked and replaced with a new one: 1. User logs in → access token + refresh token A 2. Access token expires 3. Client sends refresh token A → gets new access token + refresh token B 4. Refresh token A is now dead 5. If anyone tries to use refresh token A again → ALERT, revoke everything