diff --git a/src/api/SIGCM2.Application/Abstractions/Security/IJwtService.cs b/src/api/SIGCM2.Application/Abstractions/Security/IJwtService.cs
index 0a60224..bdace9e 100644
--- a/src/api/SIGCM2.Application/Abstractions/Security/IJwtService.cs
+++ b/src/api/SIGCM2.Application/Abstractions/Security/IJwtService.cs
@@ -1,3 +1,4 @@
+using System.Security.Claims;
 using SIGCM2.Domain.Entities;
 
 namespace SIGCM2.Application.Abstractions.Security;
@@ -5,4 +6,11 @@ namespace SIGCM2.Application.Abstractions.Security;
 public interface IJwtService
 {
     string GenerateAccessToken(Usuario usuario);
+
+    /// <summary>
+    /// Validates an access token's signature and claims WITHOUT checking expiry.
+    /// Used by the refresh flow to extract the UsuarioId from an expired access token.
+    /// Throws SecurityTokenException (or derived) if the signature is invalid or the algorithm is wrong.
+    /// </summary>
+    ClaimsPrincipal GetPrincipalFromExpiredToken(string accessToken);
 }