Auth0 Home Blog Docs

Expiration parameters for tokens and activity


#1

Please help me understand the differences between:

Application:
JWT Expiration (seconds)

API:
Token Expiration (seconds)
Token Expiration For Browser Flows (seconds)

Tenant:
Inactivity timeout (minutes)
Require log in after (minutes)

The fields exist but there’s really no documentation of what they mean. Thank you.


#2
  • JWT expiration in Applications sets the duration of the ID Token. The ID Token is the security token that has information about the user, and is used for authentication purposes. Is meant to be consumed by the client application directly. Applications usually consume this token once upon receiving the authentication response from Auth0 and set a session, so it’s duration is not really that meaningful in most cases.

  • The token expiration settings in the API section controls the duration of access tokens issued to access that API. Access Tokens are issued to applications , and applications use the token to make API requests on behalf of the user.
    The duration of the Access Token is important, because once it’s expired the application won’t be able to make new API requests until it gets a renewed token.
    There are two expirations settings. The first one (“Token expiration”) is used for flows where the application is more capable of keeping the access token secured. This is the case of web or native applications. The second setting (“for browser flows”) should be much shorter, under the assumption that browser applications are not as good in keeping secrets, so if a token is compromised at least it won’t last long.

  • The tenant settings controls the duration of the user at the Auth0 domain. When an application requests a token and the user logs in at the Auth0 domain, a session at Auth0 is also created. If the same application or another application secured by the same Auth0 domain were to ask a new token while the user still has a valid sesion, the user does not need to authenticate again at Auth0.
    The Inactivity timeout is a sliding window of time. As long as the user (or rather, the application) makes a token request to Auth0 before that time passes, the user session at Auth0 is renewed for that period of time. E.g. if the Auth0 Inactivity timeout is 7 days, and the application asks a new token every day, the user session will continue to be valid and the user does not need to authenticate. If no application requests a token for 7 days, the session at Auth0 expires.
    The Require log in after value is a hard value that, once reached, invalidates the user session, so that the next time an application requests a token the user will have to authenticate again.

Hope that helps!