We currently have setup Auth0 to have two APIs, connected through to two different applications (which correspond to multiple actual web applications).
As we feel our way around Auth0 and find out what’s possible, we’ve decided to have two different token expiries for the two APIs - one being 2 hours, the second being 24 hours. The reasoning behind the different expiries is due to the nature of access - one API is used to access data in a publically accessible web application that is widely available, the other to access data in a publically available but much less available application (and really internal only application).
My question around this is how Auth0 handles SSO and token expiries in this scenario. Are tokens to both APIs/Applications maintained, and when one expires, the user needs to request another from Auth0? Or is whatever token was set most recently used?
A scenario I can think of is a user logging in to the 2 hour expiry API/Application, then moving on to the 24 hour expiry API/Application via SSO. Will the user then be forced to re-authenticate via Auth0 (really just a redirect in this case) if going back to the first API/Application after 2 hours? Or are they now logged in to both for 24 hours?
Any help here would be appreciated!