A secure and scalable JWT Token Refresh Mechanism built with .NET 9, Domain-Driven Design (DDD), and Clean Architecture. Implements refresh tokens, token revocation, and multi-layered authentication to enhance security and user management.
✅ User Registration & Login – Secure user authentication with password hashing.
✅ JWT Access Tokens – Short-lived access tokens for secure API access.
✅ Refresh Tokens – Long-lived refresh tokens for session continuation.
✅ Token Revocation – Prevent unauthorized access by revoking refresh tokens.
✅ DDD & Clean Architecture – Ensures maintainability and scalability.
✅ Unit Testing – Comprehensive tests for security and authentication workflows.
🟣 .NET 9 – Backend framework for secure API development.
🔴 JWT Authentication – Secure user authentication and authorization.
🟢 Entity Framework Core – Database interactions and migrations.
🟡 FluentValidation – Request validation to enforce strong security rules.
🔵 MediatR – Implements CQRS for command-query separation.
🟠 xUnit & Moq – Unit testing and mocking dependencies for reliability.
This project follows Clean Architecture principles and DDD:
1️⃣ Domain Layer
📌 Business logic, entities, and domain events (User, RefreshToken).
2️⃣ Application Layer
📌 Use cases, commands, queries (LoginCommand, RefreshTokenCommand).
3️⃣ Infrastructure Layer
📌 Database, repositories, JWT provider, external services (EF Core, TokenService).
4️⃣ Presentation Layer
📌 API controllers, request/response models (UsersController, LoginRequest).
🔹 Users register with email and password.
🔹 Passwords are hashed before being stored securely.
🔹 Users log in with credentials.
🔹 A JWT access token (short-lived) and a refresh token (long-lived) are issued.
🔹 The refresh token is stored securely in the database.
🔹 When the access token expires, the client sends a refresh token to /refresh-token.
🔹 A new JWT access token is issued.
🔹 The old refresh token is revoked, ensuring security.
🔹 Users can revoke refresh tokens, logging out from all devices.
📌 .NET 9 SDK
📌 Visual Studio 2022 or VS Code
📌 Postman for API testing
git clone https://github.com/MrEshboboyev/jwt-token-refresh-mechanism.git
cd jwt-token-refresh-mechanismdotnet restoredotnet run --project src/Presentation| Method | Endpoint | Description |
|---|---|---|
| POST | /api/users/register |
Registers a new user |
| POST | /api/users/login |
Logs in and returns access & refresh tokens |
| POST | /api/users/refresh-token |
Refreshes JWT access token |
| POST | /api/users/revoke-token |
Revokes a refresh token |
Run all unit tests:
dotnet test1️⃣ Register a new user
2️⃣ Log in and get access & refresh tokens
3️⃣ Use refresh token to obtain a new access token
4️⃣ Revoke refresh token to log out
✅ Test using Postman, Swagger, or any REST client.
✅ High Security – Implements refresh token rotation & revocation.
✅ Scalable & Maintainable – Follows DDD & Clean Architecture.
✅ Ready for Production – Follows industry best practices.
✅ Cloud-Ready – Can be deployed on AWS, Azure, Kubernetes.
This project is licensed under the MIT License. See the LICENSE file for details.
For feedback, questions, or contributions:
📧 Email: mreshboboyev@gmail.com
💻 GitHub: MrEshboboyev
🚀 Secure your API with a scalable JWT Token Refresh Mechanism! Clone the repo and start coding today!