diff --git a/src/api/SIGCM2.Application/Abstractions/Security/IRefreshTokenGenerator.cs b/src/api/SIGCM2.Application/Abstractions/Security/IRefreshTokenGenerator.cs
new file mode 100644
index 0000000..51995c2
--- /dev/null
+++ b/src/api/SIGCM2.Application/Abstractions/Security/IRefreshTokenGenerator.cs
@@ -0,0 +1,10 @@
+namespace SIGCM2.Application.Abstractions.Security;
+
+public interface IRefreshTokenGenerator
+{
+    /// <summary>
+    /// Generates a cryptographically secure opaque raw token (256 bits, base64url without padding).
+    /// This is the value sent to the client. It is NEVER stored — only its SHA-256 hash is persisted.
+    /// </summary>
+    string Generate();
+}