JWT Authentication issue - Very basic


I am able to generate this below response using the authentication service JWT AuthProvider

“userId”: “1”,
“sessionId”: “yXTnrEaYzt1gSP45cjxX”,
“userName”: “admin@email.com”,
“displayName”: “Admin User”,
“bearerToken”: “eyJ0eXAiOiJKV1QiLC…”,
“refreshToken”: “eyJ0eXAiOiJ…”,
“profileUrl”: “data:image/s”,
“roles”: [
“permissions”: []

These APIs will be used from Mobile app (android/ios). Since I am developing the APIs I am using postman. My question is that when the bearer token is expired how can I use the refresh token to get the fresh valid token for my services using postman.


If you provide both BearerToken in ss-tok cookies and the RefreshToken in ss-reftok cookie when making authenticated requests the BearerToken cookie will automatically be refreshed when it expires.

Otherwise you can use the GetAccessToken API to fetch a new BearerToken from a valid RefreshToken. Here are the Reqest/Response DTOs for GetAccessToken:

public class GetAccessToken : IPost, IReturn<GetAccessTokenResponse>
    public string RefreshToken { get; set; }

public class GetAccessTokenResponse : IHasResponseStatus
    public string AccessToken { get; set; }
    public ResponseStatus ResponseStatus { get; set; }

Hi @mythz ,

Appreciate your guidance in the right direction and yes I am able to achieve what I was trying to do.

Now, as a best practice looking for your advise and guidance that, shall I store the refresh token in the database in Refresh_Token column the user_auth_details table after the user successfully authenticated. To store the refresh token I guess I have to use OnAuthenticated method of the AppUserAuthEvents class.

Otherwise kindly share some thoughts upon how I should save the recover token and use it later when the user is required to acquire a new token.

  1. What is the purpose of Recover_Token column in app_user table

Is there any documentation about these auth tables to go through as I am trying to look into the docs to figure out the exact column’s purpose or what is the suitable value we can store in it.

I apologize if I am asking too basic question.Trying to go through the documentation as well.


The best practice is to not to store the RefreshToken, i.e. they’re generated when the User Authenticates and by default is configured in secure HTTP only cookies which is attached to every subsequent requests from the Authenticated HTTP Client.

If it’s stored anywhere it would be on the client in Mobile or Desktop Apps to support persistent authentication, browsers should only leave it stored in the Browser cookies to prevent XSS attacks.

The UserAuth tables just store common information about a user starting from the standard claim names, which are populated at sign ups via OAuth providers or from User Registration.