according to Refresh Tokens refresh tokens never expire.
Since Refresh Tokens never expire, it is essential to be able to revoke them in case they get compromised.
Nevertheless when i decode the refresh token I’m getting from auth0, i see an ‘exp’ attribute. The lifetime is just a few thousand seconds. So whats the ‘exp’ for, if refresh tokens never expire in the first place?
Auth0 currently only supports opaque refresh_tokens which never expire. You must be looking into access_token which is JWT based and are usually short lived (by default 24 hours).
Ahh, I see. I just put the refresh token in https://www.jsonwebtoken.io/ and the output got the ‘exp’ attribute. But it seems like you can put anything in there an get this kind of output. So my fault / strange behavior of this site.