Aspnetcore: DataProtection Protected Payload length

It depends on the data to be honest, and the algorithm configured. Are you indexing on it? If not, just nvarchar(max) and be done with it.

Two things to note.

First, since you mentioned database storage... the data protection layer is intended to create _ephemeral_ data, not persisted data. By ephemeral data we mean data that you wouldn't mind losing. Authentication cookies are an example of this, as if you "lose" your authentication cookie you can simply log in again. It's not recommended to use the data protection APIs to create data that you intend to keep around in perpetuity. If you intend long-term storage of cryptographically protected data, you may have data retention and retrieval requirements, so another mechanism (such as something backed by a proper X.509 certificate) might be more appropriate.

From https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/introduction:

The ASP.NET Core data protection APIs are not primarily intended for indefinite persistence of confidential payloads. Other technologies like Windows CNG DPAPI and Azure Rights Management are more suited to the scenario of indefinite storage, and they have correspondingly strong key management capabilities. That said, there's nothing prohibiting a developer from using the ASP.NET Core data protection APIs for long-term protection of confidential data.

So let's say you decide using data protection + a database is appropriate for your scenario. If you do this, remember that the data protection layer operates on _bytes_, not _chars_. Once you have a byte[] that represents a protected payload, remember to call Convert.ToBase64String to convert it to a string before storing it in your database. The column type should be nvarchar(max), as Barry said.