I’m looking to configure the refresh tokens for my client but I’m unsure about the different purposes of the expiration type and infinite token lifetime settings.
From the management API docs:
PATCH /api/v2/clients/{id}
{
"refresh_token": {
"rotation_type": "non-rotating",
"expiration_type": "expiring",
"token_lifetime": 2592000,
"infinite_token_lifetime": false,
"idle_token_lifetime": 604800,
"infinite_idle_token_lifetime": false
}
}
If I set the expiration_type=expiring doesn’t that inherently mean that the token lifetime is not infinite? What happens if you set expiration_type=expiring and infinite_token_lifetime=true?
Hi @swarner1033,
Welcome to the Auth0 Community!
The distinction between expiration_type and infinite_token_lifetime is due to a separation in how refresh token behavior can be controlled in the Auth0 platform. Essentially, expiration_type acts as the primary switch to enable or disable expiration, while infinite_token_lifetime is a legacy setting that, when set to true, overrides the explicit numerical token_lifetime value.
The most explicit way to configure a non-expiring token is to set expiration_type: "non-expiring" as shown in the documentation.
https://auth0.com/docs/secure/tokens/refresh-tokens/configure-refresh-token-rotation#configure-with-the-auth0-spa-sdk
If you have any further questions, please don’t hesitate to reach out.
Have a good one,
Vlad