Do refresh tokens expire? Why is there an 'exp' attribute?

Hi there,

according to refresh tokens never expire.

Since Refresh Tokens never expire, it is essential to be able to revoke them in case they get compromised.

Nevertheless when i decode the refresh token I’m getting from auth0, i see an ‘exp’ attribute. The lifetime is just a few thousand seconds. So whats the ‘exp’ for, if refresh tokens never expire in the first place?


Auth0 currently only supports opaque refresh_tokens which never expire. You must be looking into access_token which is JWT based and are usually short lived (by default 24 hours).


Ahh, I see. I just put the refresh token in and the output got the ‘exp’ attribute. But it seems like you can put anything in there an get this kind of output. So my fault / strange behavior of this site.

Mystery solved, case closed, thank you :slight_smile:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.