Difference between refresh token expiration type and infinite token lifetime

Get Help
,
1

I’m looking to configure the refresh tokens for my client but I’m unsure about the different purposes of the expiration type and infinite token lifetime settings.

From the management API docs:

PATCH /api/v2/clients/{id}
{
  "refresh_token": {
      "rotation_type": "non-rotating",
      "expiration_type": "expiring",
      "token_lifetime": 2592000,
      "infinite_token_lifetime": false,
      "idle_token_lifetime": 604800,
      "infinite_idle_token_lifetime": false
  }
}

If I set the expiration_type=expiring doesn’t that inherently mean that the token lifetime is not infinite? What happens if you set expiration_type=expiring and infinite_token_lifetime=true?

3

Hi @swarner1033,

Welcome to the Auth0 Community!

The distinction between expiration_type and infinite_token_lifetime is due to a separation in how refresh token behavior can be controlled in the Auth0 platform. Essentially, expiration_type acts as the primary switch to enable or disable expiration, while infinite_token_lifetime is a legacy setting that, when set to true, overrides the explicit numerical token_lifetime value.

The most explicit way to configure a non-expiring token is to set expiration_type: "non-expiring" as shown in the documentation.

https://auth0.com/docs/secure/tokens/refresh-tokens/configure-refresh-token-rotation#configure-with-the-auth0-spa-sdk

If you have any further questions, please don’t hesitate to reach out.

Have a good one,
Vlad

4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.