Access token minimum expiration time

I have setup expiration token of 10 second in one API, for testing purposes.

In practice, I´ve noticed that the token is valid for 5 minutes.

Is there a “grace” period on tokens which makes expiration times less than 5 minutes not supported? Or do I need to do further setup than changing token expiration in the API?

Any input appreciated.

Hey there @SergioETrillo, I apologize for the delay in response.

We actually have a doc about setting Access Tokens lifespan that dives into some of this. Let me share some of the key points here but if you have any additional questions please let us know.

You control the Access Token lifetime for custom APIs on a per-API basis.

Auth0 recommends that you set the validity period of your token based on the security requirements of your API. For example, an Access Token that accesses a banking API should expire more quickly than one that accesses a ToDo API.

To configure the amount of time a token lives, use the Token Expiration (Seconds) field for your API in the Dashboard APIs section.

  • Default value: 24 hours ( 86400 seconds)
  • Maximum amount of time (in seconds) that the token can be valid after being issued: 2592000 seconds ( 30 days).

Access Token lifetime for the OIDC user profile endpoint

Access Tokens issued strictly for the purpose of accessing the OpenID Connect (OIDC) user profile endpoint (e.g., the tokens are meant for authentication only, not to access a custom API) have a default lifetime and can’t be changed. The length of lifetime depends on the flow used to obtain the token

Flow Lifetime
Implicit Flow 7200 seconds (2 hours)
Authorization Code/Hybrid Flows 86400 seconds (24 hours)

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.