The client application setting JWT Expiration impacts the ID token issued as part of an applicable authentication request (not the access token). The ID token is the only token guaranteed to always be a JWT, because the OpenID Connect specification that defines it imposes this format and it’s also the only token meant to be processed directly by the client application.
Other tokens that may be issued, like it’s the case of access tokens and refresh tokens don’t have the same constraints and as such don’t need to be JWT’s. These tokens are issued to client applications, but are not processed by them; the client application should treat these tokens as opaque values. Due to this, the response also includes the
expires_in parameter to denote the expiration time of the access token in a way that the client application can process.
When you perform an authentication/authorization request that either does not specify an audience or specifies the
/userinfo audience then the expiration time is currently not configurable and it’s the one you observed.
If on the other hand, you specify an
audience parameter that maps to your own API that you configured in Auth0 then the expiration of the access token that is meant to be sent to that API can be configured through the following settings available within the API settings:
- Token Expiration (Seconds)
- Token Expiration For Browser Flows (Seconds)