I have an AngularJs web application that is using Auth0 to login. I also have a API that I am securing with the same access token.
The web site seems to have a timeout of 10 hours. The api token seems to have a timeout of 24 hours for non web clients and 2 hours for web clients.
Effectively, this means that my users will have to re-authenticate every 2 hours. What is the recommended way to solve this? Should I set all my timeouts to the same value or is there some way to silently get a new token before the old token is invalidated?
Although the tokens have short lifetimes depending on how you implemented login it’s likely that an authenticated session is being established in your associated tenant/domain (the recommended approach for a web application would be to login using the hosted login page which would satisfy this requirement).
The above authenticated session could then be leveraged to obtain new tokens without forcing the end-user to actively authenticate again. The current recommended way to perform this silent authentication would be: Auth0.js v9 Reference