Auth0 Home Blog Docs

API access tokens

Why does an API bearer token used to call the Management API default to lasting 86400 seconds? If I am using the token immediately it should only need to be active for a few seconds. Even in your example (https://auth0.com/docs/api/management/v2/get-access-tokens-for-production), the token is requested, immediately used to call the Mgmt API, then discarded.

Is it a security risk to have a valid token for a full day? Can we reduce the time before the token expires? Thank you.

Hi @fredrogers,

The token expiration is trade off between the convenience of not having to request another token for more api calls versus having a valid token lasting longer and the potential security implications.

If you want to reduce the time the token expiration time, you can do that in the management dashboard. Navigate to APIs -> Auth0 Management API -> Token Settings -> Token Expiration

Let me know if this helps!

Thanks,
Dan

I don’t really understand why it’s more convenient – I mean the whole point is that your server is making the calls. If I plan to use a token for extended period of time (even a few hours) I need to store it somewhere (my database?), then retrieve it, check if it is still valid, dispose of old expired tokens… seems far more convenient (and SAFER) to just grab a new token, use it immediately and 10 seconds later that’s the end of it. Again, that’s how the posted example works.

@fredrogers,

There are many use-cases and it is impossible to satisfy every user’s needs with one expiration time. That is precisely why you have the ability to customize that expiration time.

If you can imagine a scenario where an application is making close to the free-tier rate limit of 2 requests per second, making a separate request for a token every ten seconds could quickly become inefficient and cumbersome. In addition, these requests should be coming from a secured server where there is less risk of the token being acquired by a malicious party.

I am not sure why the default is a day, but I would be happy to ask the team if that is something you would like to know.

Does this make sense?

Thanks,
Dan

1 Like