diff --git a/src/api/SIGCM2.Domain/Security/TokenHasher.cs b/src/api/SIGCM2.Domain/Security/TokenHasher.cs
new file mode 100644
index 0000000..a9cee84
--- /dev/null
+++ b/src/api/SIGCM2.Domain/Security/TokenHasher.cs
@@ -0,0 +1,25 @@
+using System.Security.Cryptography;
+using System.Text;
+
+namespace SIGCM2.Domain.Security;
+
+/// <summary>
+/// Pure static helper for hashing opaque refresh tokens.
+/// SHA-256 is appropriate here — tokens are 256-bit random values (not passwords),
+/// so salting is unnecessary. Output is base64url without padding.
+/// </summary>
+public static class TokenHasher
+{
+    public static string Sha256Base64Url(string raw)
+    {
+        var bytes = Encoding.UTF8.GetBytes(raw);
+        var hash = SHA256.HashData(bytes);
+        return Base64UrlEncode(hash);
+    }
+
+    private static string Base64UrlEncode(byte[] bytes)
+        => Convert.ToBase64String(bytes)
+                  .TrimEnd('=')
+                  .Replace('+', '-')
+                  .Replace('/', '_');
+}