JWT generation/validation suggestions

In my asp.net web API rest application, I am using JWT generation and validation as follows. Would you please check my sample code?

  1. If I make it expire let’s say after a day, what might be the costs? (Client doesn’t want to get token frequently)
  2. What if I use basic authentication instead of JWT? I will use https in production.
  3. LifetimeValidator uses UTC as default I think so I was getting 401. So I changed UTC to local time. Any suggestions?
public static string createToken(string username)         {             //Set issued at date             DateTime issuedAt = DateTime.Now;             //set the time when it expires             DateTime expires = DateTime.Now.AddMinutes(10);              var tokenHandler = new JwtSecurityTokenHandler();              ClaimsIdentity claimsIdentity = new ClaimsIdentity(new[]             {                 new Claim(ClaimTypes.Name, username)             });              const string sec = "12345";             var now = DateTime.Now;             var securityKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(System.Text.Encoding.Default.GetBytes(sec));             var signingCredentials = new Microsoft.IdentityModel.Tokens.SigningCredentials(securityKey, Microsoft.IdentityModel.Tokens.SecurityAlgorithms.HmacSha256Signature);              var token =                 (JwtSecurityToken)                 tokenHandler.CreateJwtSecurityToken(issuer: "http://test/api/v2/pin/initiation", audience: "http://test/api/v2/pin/initiation",                     subject: claimsIdentity, notBefore: issuedAt, expires: expires, signingCredentials: signingCredentials);             var tokenString = tokenHandler.WriteToken(token);              return tokenString;         } 
internal class TokenValidationHandler : DelegatingHandler     {         private static bool TryRetrieveToken(HttpRequestMessage request, out string token)         {             token = null;             IEnumerable<string> authzHeaders;             if (!request.Headers.TryGetValues("Authorization", out authzHeaders) || authzHeaders.Count() > 1)             {                 return false;             }             var bearerToken = authzHeaders.ElementAt(0);             token = bearerToken.StartsWith("Bearer ") ? bearerToken.Substring(7) : bearerToken;             return true;         }          protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)         {             HttpStatusCode statusCode;             string token;             //determine whether a jwt exists or not             if (!TryRetrieveToken(request, out token))             {                 statusCode = HttpStatusCode.Unauthorized;                 //allow requests with no token - whether a action method needs an authentication can be set with the claimsauthorization attribute                 return base.SendAsync(request, cancellationToken);             }              try             {                  const string sec = "12345";                 var now = DateTime.Now;                 var securityKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(System.Text.Encoding.Default.GetBytes(sec));                   SecurityToken securityToken;                 JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();                 TokenValidationParameters validationParameters = new TokenValidationParameters()                 {                      ValidAudience = "http://tset/api/v2/pin/initiation",                     ValidIssuer = "http://test/api/v2/pin/initiation",                     ValidateLifetime = true,                     ValidateIssuerSigningKey = true,                     LifetimeValidator = LifetimeValidator,                     IssuerSigningKey = securityKey                 };                 //extract and assign the user of the jwt                 Thread.CurrentPrincipal = handler.ValidateToken(token, validationParameters, out securityToken);                 HttpContext.Current.User = handler.ValidateToken(token, validationParameters, out securityToken);                  return base.SendAsync(request, cancellationToken);             }             catch (SecurityTokenValidationException e)             {                 statusCode = HttpStatusCode.Unauthorized;             }             catch (Exception ex)             {                 statusCode = HttpStatusCode.InternalServerError;             }             return Task<HttpResponseMessage>.Factory.StartNew(() => new HttpResponseMessage(statusCode) { });         }          public bool LifetimeValidator(DateTime? notBefore, DateTime? expires, SecurityToken securityToken, TokenValidationParameters validationParameters)         {             if (expires != null)             {                 if (DateTime.Now < expires.Value.ToLocalTime()) return true;             }             return false;         }       }