I have an API and I wish to set the expiration of the access token based on the user requesting access. For example most plans support a very limited number of M2M tokens and those system are highly trusted and thus a longer exp is ideal. SPA/Native apps are less trusted and have shorter sessions and should have shorter expirations.
I see that there is a “maximum access token lifetime” which implies that the value can be modified to a lower value. I asked the Guide AI and I’m pretty sure it hallucinated a wrong answer by suggesting that I adjust the “Token Expiration For Browser Flows” setting.
Sadly, that is not possible. The access token lifetime (expiration) applies to all users that login against a protected API. See Update Access Token Lifetime for more information.
For security reasons, we really need to reduce the lifetime of these tokens, but that will explode the number of M2M tokens issued. For reasons I don’t understand, the M2M token limits is laughably small (like 5000 even on Enterprise) so even just TWO machines requesting M2M tokens on a 30 minute cadence will saturate the highest tier plan.
I find it hard to believe that Auth0 doesn’t have a solution for short lived M2M tokens that can scale to more than two nodes for an Enterprise deployment.
It’s recommended to always use short-lived tokens and cache them to avoid exceeding the quota on the number of M2M tokens issued.
With 5,000 M2M tokens, you can issue tokens every 30 minutes for two machines without hitting the limit.
For example:
2 tokens per hour X 24 hours = 48 tokens per day
48 tokens per day X 30 days = 1440 tokens per month
1440 tokens per month X 2 machines = 2880 tokens per month for 2 machines
Let me also clarify that only M2M applications can request M2M tokens. If your apps are SPA/Native/RWA, they will not be issued M2M tokens.