I am currently developing a system with an ASP.NET Core Web API backend and client applications in both Blazor WebAssembly and .NET MAUI. The authentication flow is based on JWT with rotating refresh tokens; access tokens expire after 3 minutes and refresh tokens after 30 days. We use GraphQL with a single endpoint for the server-client protocol.