Default /mfa/ audience's token expiration time


I’m trying to implement mfa inside application, but I’m seeing the token expiration time that I got during login is only 10 minutes.
This time is because I’m testing in localhost or is default time? Can I change this time?
I’m using default https://{tenant} audience.

Thank you!

1 Like

We are stuck with the same issue. We’re using the Resource Owner Password method with MFA enabled. Our token’s expires_in is always 600 (10 minutes) regardless of what expiry time we set up on Auth0 dashboard. Any solution for this?

Access tokens with AUTH0_DOMAIN/mfa audience are restricted to 10 minutes expiry due to security reasons. This cannot be bypassed.

I would use that audience only when the MFA scopes are explicitly required, and use a different or no audience otherwise.

1 Like

@themeera Can you please explain when the /mfa audience is required? I believe we’re currently using it on all /oauth/token API calls.
We have a pretty typical use-case, nothing out of the ordinary. The user signs up with an email and password and phone number, and MFA via SMS is always required.
This 10min restriction essentially means we have to ask the user every 10 minutes to log back in, which doesn’t seem reasonable. What is the work-around? is the only work-around using a refresh token?

It’s required when the application needs to modify the MFA factors of a user:

If the user is already enrolled in MFA, the audience can be skipped.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.