Auth0 Home Blog Docs

Do refresh tokens expire? Why is there an 'exp' attribute?

Hi there,

according to https://auth0.com/docs/tokens/refresh-token/current refresh tokens never expire.

Since Refresh Tokens never expire, it is essential to be able to revoke them in case they get compromised.

Nevertheless when i decode the refresh token I’m getting from auth0, i see an ‘exp’ attribute. The lifetime is just a few thousand seconds. So whats the ‘exp’ for, if refresh tokens never expire in the first place?

Thanks!

Auth0 currently only supports opaque refresh_tokens which never expire. You must be looking into access_token which is JWT based and are usually short lived (by default 24 hours).

2 Likes

Ahh, I see. I just put the refresh token in https://www.jsonwebtoken.io/ and the output got the ‘exp’ attribute. But it seems like you can put anything in there an get this kind of output. So my fault / strange behavior of this site.

Mystery solved, case closed, thank you :slight_smile:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.