How are bearer tokens stored server-side in Web API 2?

For those who are looking for how to set web.config, here is a sample

<system.web>
<machineKey validation="HMACSHA256" validationKey="64-hex"
                 decryption="AES" decryptionKey="another-64-hex"/>
</system.web>

You need both validationKey and decriptionkey to make it work.

And here is how to generate keys https://msdn.microsoft.com/en-us/library/ms998288.aspx


  1. They're not stored server side -- they're issued to the client and the client presents them on each call. They're verified because they're signed by the owin host's protection key. In SystemWeb hosting, that protection key is the machineKey setting from web.config.

  2. That's unnecessary, as long as the protection key the owin host uses doesn't change across server restarts.

  3. A client can hold onto a token for as long as the token is valid.