Default /mfa/ audience's token expiration time

Access tokens with AUTH0_DOMAIN/mfa audience are restricted to 10 minutes expiry due to security reasons. This cannot be bypassed.

I would use that audience only when the MFA scopes are explicitly required, and use a different or no audience otherwise.

1 Like