Guidance - Different TTL for access token expiration in different Applications using the same API

I am wondering what the guidance would be for two applications using the same API that have different session requirements.

We have a website calling the API that we want to have a long lived session, let’s say 30 days. And then we have a separate SPA application that we want to have a short lived session, let’s say 30 min.

My thought was for the two applications to have two different JWT aud identifiers with different access token TTL values, but JWT validation will only check for 1 value within the array of aud values.

The last resort will be for the SPA to have a 30min timer extended by activity in the application and force a logout if there is not activity.

Any other thoughts and ideas are appreciated!

1 Like